CVE-2026-32039

描述

### Summary `channels.*.groups.*.toolsBySender` could match a privileged sender policy using a colliding mutable identity value (for example `senderName` or `senderUsername`) when deployments used untyped keys. The fix introduces explicit typed sender keys (`id:`, `e164:`, `username:`, `name:`), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions. ### Affected Packages / Versions - Package: npm `openclaw` - Affected versions: `<= 2026.2.21-2` - Latest published npm version at triage time (February 22, 2026): `2026.2.21-2` - Patched version (planned next release): `2026.2.22` ### Impact This is a sender-authorization bypass in group tool policy matching for deployments that use `toolsBySender` with untyped keys. Under those conditions, an attacker could inherit stronger tool permissions intended for another sender if they can force an identifier collision. ### Fix Commit(s) - `5547a2275cb69413af3b62c795b93214fe913b57` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.22`). Once that npm release is published, this advisory should only need publishing. OpenClaw thanks @jiseoung for reporting.

受影響套件(1)

• npm/openclawfrom 0, < 2026.2.22

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32039
• PATCHhttps://github.com/openclaw/openclaw
• WEBhttps://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57
• WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39
• WEBhttps://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-via-identity-collision-in-toolsbysender