VulnerableCode Vulnerability Details - VCID-rc3c-ycw2-nbcu

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-rc3c-ycw2-nbcu

Essentials
Severities (5)
References (3)
Severity details (5)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-rc3c-ycw2-nbcu
Aliases	GHSA-48vw-m3qc-wr99
Summary	OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths ## Summary Trusted-proxy Control UI sessions without device identity could retain self-declared privileged scopes on the device-less allow path. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: < 2026.3.22 - Fixed: >= 2026.3.22 - Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`) - Latest published npm version checked: `2026.3.23-2` ## Fix Commit(s) - `ccf16cd8892402022439346ae1d23352e3707e9e` ## Release Status The fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`. ## Code-Level Confirmation - src/gateway/server/ws-connection/message-handler.ts now strips unbound self-declared scopes on the trusted-proxy no-device path. - src/gateway/server/ws-connection/connect-policy.ts remains the allow path, but the shipped scope scrub prevents privilege retention without device identity. OpenClaw thanks @nexrin for reporting.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-48vw-m3qc-wr99
generic_textual	HIGH	https://github.com/openclaw/openclaw
generic_textual	HIGH	https://github.com/openclaw/openclaw/commit/ccf16cd8892402022439346ae1d23352e3707e9e
cvssv3.1_qr	HIGH	https://github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99
generic_textual	HIGH	https://github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99

Reference id	Reference type	URL
		https://github.com/openclaw/openclaw
GHSA-48vw-m3qc-wr99		https://github.com/advisories/GHSA-48vw-m3qc-wr99
GHSA-48vw-m3qc-wr99		https://github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99

No exploits are available.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-12T07:49:15.233823+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-48vw-m3qc-wr99/GHSA-48vw-m3qc-wr99.json	38.6.0