OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
GHSA-wwfp-w96m-c6x8 · CVE-2026-41346
Published · Modified
Description
Summary
Before OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account.
Impact
This issue could deny new pairing or onboarding on another account until an existing request was approved or expired. It was an availability-only bug; it did not allow cross-account approval, data access, or authorization bypass.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.2.26, < 2026.3.31 - Patched versions:
>= 2026.3.31 - Latest published npm version:
2026.4.1
Fix Commit(s)
9bc1f896c8cd325dd4761681e9bdb8c425f69785— scope pending request caps per account
Release Process Note
The fix shipped in OpenClaw 2026.3.31 on March 31, 2026. The current published npm release 2026.4.1 from April 1, 2026 also contains the fix.
Thanks @smaeljaish771 for reporting.
References
- WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-wwfp-w96m-c6x8
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41346
- WEB https://github.com/openclaw/openclaw/commit/9bc1f896c8cd325dd4761681e9bdb8c425f69785
- PACKAGE https://github.com/openclaw/openclaw
- WEB https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement
Ready to move
Start Securing
Free, no credit card | First findings in minutes