OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay
GHSA-r77c-2cmr-7p47 · CVE-2026-43583
Published · Modified
Description
Summary
Delivery queue recovery could lose group tool-policy context for media replay.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
>= 2026.4.10 < 2026.4.14 - Patched versions:
>= 2026.4.14
Impact
Recovered queued outbound media could be replayed without the original session context needed to enforce group tool policy, weakening channel media restrictions after restart/recovery.
Technical Details
The fix persists and replays the relevant session context with delivery queue entries so recovered media dispatch goes through the same policy checks.
Fix
The issue was fixed in #66025. The first stable tag containing the fix is v2026.4.14, and openclaw@2026.4.14 includes the fix.
Fix Commit(s)
48aae82bbc19ba8b0741e61a08063eb0d1df464e- PR: #66025
Release Process Note
Users should upgrade to openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix.
Credits
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
References
- WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-r77c-2cmr-7p47
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-43583
- WEB https://github.com/openclaw/openclaw/pull/66025
- WEB https://github.com/openclaw/openclaw/commit/48aae82bbc19ba8b0741e61a08063eb0d1df464e
- PACKAGE https://github.com/openclaw/openclaw
- WEB https://www.vulncheck.com/advisories/openclaw-loss-of-group-tool-policy-context-in-delivery-queue-recovery
Ready to move
Start Securing
Free, no credit card | First findings in minutes