OpenClaw: Matrix profile config persistence was reachable from operator.write message tools
GHSA-7jp6-r74r-995q · CVE-2026-42433
Published · Modified
Description
Summary
Matrix profile config persistence was reachable from operator.write message tools.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
< 2026.4.10 - Patched versions:
>= 2026.4.10
Impact
Gateway operator.write message-tool paths could reach Matrix profile persistence that should have required admin-level authority.
Technical Details
The fix gates Matrix profile updates for non-owner message-tool runs and prevents write-scoped callers from mutating persistent profile config.
Fix
The issue was fixed in #62662. The first stable tag containing the fix is v2026.4.10, and openclaw@2026.4.14 includes the fix.
Fix Commit(s)
fe0f686c9228fffcec6de4011da45e69a6e23e54- PR: #62662
Release Process Note
Users should upgrade to openclaw 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix.
Credits
Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
References
- WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-7jp6-r74r-995q
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-42433
- WEB https://github.com/openclaw/openclaw/pull/62662
- WEB https://github.com/openclaw/openclaw/commit/fe0f686c9228fffcec6de4011da45e69a6e23e54
- PACKAGE https://github.com/openclaw/openclaw
- WEB https://www.vulncheck.com/advisories/openclaw-unauthorized-matrix-profile-config-persistence-access-via-operator-write-message-tools
Ready to move
Start Securing
Free, no credit card | First findings in minutes