📰 2026-04-04 19:30 更新
🔸 OpenClaw privilege escalation vulnerability / OpenClaw权限提升漏洞
🔗 OpenClaw privilege escalation vulnerability
🔥 392 points
原文:
Description OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts. Metrics CVSS Version 4.0 CVSS Version 3.x
译文:
说明2026.3.28之前的OpenClaw在/pair approve命令路径中包含一个权限提升漏洞,该漏洞无法将调用方作用域转发到核心审批检查中。具有配对权限但没有管理员权限的调用方可以通过利用extensions/device-pair/index.ts和src/infra/device-pairing.ts中缺少的范围验证来批准请求更广泛范围(包括管理员访问权限)的挂起设备请求。指标 CVSS 4.0版CVSS 3.x版
自动更新 · 正文抓取 · 双语翻译