GHSA-pjvx-rx66-r3fg: OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping

March 9, 2026

/allowlist ... --store resolved the selected channel accountId for reads, but store writes still dropped that accountId and wrote into the legacy unscoped pairing allowlist store.

Because default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the default account.

This is a real cross-account sender-authorization scoping bug. Severity is set to medium because exploitation requires an already-authorized user who can run /allowlist edits.

References

github.com/advisories/GHSA-pjvx-rx66-r3fg
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/70da80bcb5574a10925469048d2ebb2abf882e73
github.com/openclaw/openclaw/releases/tag/v2026.3.7
github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg

Code Behaviors & Features

Detect and mitigate GHSA-pjvx-rx66-r3fg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →