{"id":"GHSA-3q42-xmxv-9vfr","summary":"OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send","details":"## Summary\nGateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Real shipped operator.write to admin-class Talk Voice config persistence bug, but it is the same narrow authenticated persistence class and should be normalized below high.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.24`\n- Patched versions: `\u003e= 2026.3.28`\n- First stable tag containing the fix: `v2026.3.28`\n\n## Fix Commit(s)\n- `e34694733fc64931ed4a543c73d84ad3435d5df1` — 2026-03-25T19:55:26Z\n\n## Release Process Note\n- The fix is already present in released version `2026.3.28`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @zpbrent for reporting.","modified":"2026-04-07T18:25:12.749224Z","published":"2026-04-07T18:11:02Z","database_specific":{"severity":"MODERATE","cwe_ids":["CWE-269"],"github_reviewed":true,"github_reviewed_at":"2026-04-07T18:11:02Z","nvd_published_at":null},"references":[{"type":"WEB","url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3q42-xmxv-9vfr"},{"type":"WEB","url":"https://github.com/openclaw/openclaw/commit/e34694733fc64931ed4a543c73d84ad3435d5df1"},{"type":"PACKAGE","url":"https://github.com/openclaw/openclaw"}],"affected":[{"package":{"name":"openclaw","ecosystem":"npm","purl":"pkg:npm/openclaw"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2026.3.28"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-3q42-xmxv-9vfr/GHSA-3q42-xmxv-9vfr.json","last_known_affected_version_range":"\u003c= 2026.3.24"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}