+ "details": "> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n**Title** \nNon-owner command-authorized sender can change the owner-only `/send` session delivery policy\n\n**CWE** \nCWE-285 Improper Authorization\n\n**CVSS v3.1** \nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L \nBase score: **5.4 (Medium)**\n\n**Severity Assessment** \nMedium. This is a real owner-only authorization bypass, but the demonstrated impact is limited to persistent mutation of the current session’s delivery policy rather than direct code execution, sandbox escape, or cross-host compromise.\n\n**Impact** \nA non-owner sender who is allowed to run commands can invoke `/send on|off|inherit` and persistently change the current session’s `sendPolicy`, even though OpenClaw documents `/send` as owner-only.\n\nThat lets a lower-trust participant:\n- disable reply delivery for the current session (`/send off`), suppressing future replies in that chat;\n- re-enable reply delivery (`/send on`) after the owner intentionally disabled it;\n- remove the session override (`/send inherit`).\n\n**Affected Component** \nVerified against the latest published GitHub release tag `v2026.3.23` (`ccfeecb6887cd97937e33a71877ad512741e82b2`), published `2026-03-23T23:15:50Z`.\n\nExact vulnerable path on the shipped tag:\n- `src/auto-reply/reply/commands-session.ts:212-239`\n - `handleSendPolicyCommand(...)` checks only `params.command.isAuthorizedSender`.\n - when true, it mutates `params.sessionEntry.sendPolicy` and persists the session entry.\n\nAuthorization behavior that makes this reachable:\n- `src/auto-reply/command-auth.ts:401-407`\n - `senderIsOwner` is computed separately from general command authorization.\n- `src/auto-reply/command-auth.ts:420-429`\n - command authorization can succeed even when `senderIsOwner === false`.\n- `src/auto-reply/command-auth.owner-default.test.ts:10-47`\n - existing coverage confirms a sender can be command-authorized while not treated as owner.\n\nDocumented owner-only contract:\n- `docs/tools/slash-commands.md:112`\n - `/send on|off|inherit` is documented as owner-only.\n- `docs/concepts/session-tool.md:156`\n - `sendPolicy` is documented as settable via `sessions.patch` or owner-only `/send on|off|inherit`.\n\nRelated privilege model:\n- `src/gateway/method-scopes.ts:131-133`\n - `sessions.patch` is admin-scoped, which reinforces that session-delivery-policy mutation is treated as privileged state.\n\nVersion history:\n- The vulnerable handler exists in release history going back at least to commit `ea018a68ccb92dbc735bc1df9880d5c95c63ca35` (`refactor(auto-reply): split reply pipeline`).\n- Earliest released affected tag found: `v2026.1.14-1`\n- Latest released affected tag verified: `v2026.3.23`\n\n**Technical Reproduction** \n1. Check out the shipped release tag `v2026.3.23`.\n2. Configure a channel where:\n - a non-owner sender is allowed to run commands, for example through `commands.allowFrom`;\n - the owner identity is distinct, for example via `commands.ownerAllowFrom`.\n3. Start or reuse a session with a live `sessionEntry` and `sessionStore`.\n4. Send `/send off` as the non-owner but command-authorized sender.\n5. Confirm the resolved command context has:\n - `isAuthorizedSender === true`\n - `senderIsOwner === false`\n6. Observe that the handler still accepts the command, mutates `sessionEntry.sendPolicy`, and persists the session entry.\n\n**Demonstrated Impact** \nThe vulnerable handler performs a real persistent session-state change:\n- `src/auto-reply/reply/commands-session.ts:232-238`\n - `/send inherit` deletes `sessionEntry.sendPolicy`\n - other modes assign `sessionEntry.sendPolicy = sendPolicyCommand.mode`\n - the handler then calls `persistSessionEntry(params)`\n\nThe mutation is not gated by owner status, only by general command authorization.\n\nThat changes subsequent delivery behavior for the current session, which matches the documented meaning of `sendPolicy`.\n\n**Environment** \n- Product: OpenClaw\n- Verified shipped tag: `v2026.3.23`\n- Shipped tag commit: `ccfeecb6887cd97937e33a71877ad512741e82b2`\n- Published GitHub release time: `2026-03-23T23:15:50Z`\n- Verification date: `2026-03-24`\n\n**Duplicate Check** \nUpon inspection there is no preexisting GHSA for `/send`.\n\nThis is distinct from:\n- `GHSA-r7vr-gr74-94p8`\n - that advisory covered owner-only authorization bypasses for `/config` and `/debug`, not `/send`.\n\nThis is the same authorization class, but a different privileged command surface that still lacks the owner check.\n\n**In Scope Check** \nThis report is in scope under `SECURITY.md` because:\n- it does **not** rely on adversarial operators sharing one gateway host or config;\n- it does **not** rely on trusted local state tampering;\n- `SECURITY.md:151-152` explicitly says non-owner sender status matters for owner-only tools and commands;\n- `/send` is explicitly documented as owner-only, so this is a direct owner-only authorization bypass, not a complaint about normal shared-agent steering.\n\nThis is therefore a concrete authorization flaw against a documented product boundary.\n\n**Remediation Advice** \n1. Change `/send` to require owner status, not just command authorization.\n2. Reuse the same owner-only rejection pattern already used by privileged command surfaces such as `/config`, `/debug`, and owner-only `/plugins` writes.\n3. Add regression coverage for the exact case where:\n - a non-owner sender is command-authorized;\n - `/send` must still be rejected unless `senderIsOwner === true`.\n4. Verify that the owner can still use `/send on|off|inherit` normally.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments