Duplicate Advisory: Tool group policy callers could accept unvalidated group IDs

When

2026-06-16 21:32 UTC

Where

Global (internet)

Category

cyber_advisory · npm

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-985f-72mj-8gf7. This link is maintained to preserve external references. ## Original Description OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls.

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-16 21:32 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

• OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another orig…
  Shared actorsInvolves npm/openclaw, npm/openclaw· 78% match
• OpenClaw: Shell inline-command parsing could miss an allowlist check
  Shared actorsInvolves npm/openclaw, npm/openclaw· 74% match
• OpenClaw: Host environment sanitizer missed two Node.js control variables
  Shared actorsInvolves npm/openclaw, npm/openclaw· 74% match
• OpenClaw: Pairing-scoped device session could restore revoked node token authority
  Shared actorsInvolves npm/openclaw, npm/openclaw· 74% match
• OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution
  Shared actorsInvolves npm/openclaw, npm/openclaw· 74% match
• OpenClaw: Tool group policy callers could accept unvalidated group IDs
  Shared actorsInvolves npm/openclaw, npm/openclaw· 74% match

← Back to the live map