![[openclaw] OpenClaw: Node exec approvals could be replayed across nodes](/assets/images/github_com_1772501105356.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 1
[openclaw] OpenClaw: Node exec approvals could be replayed across nodes
By GitHub2026๋
3์ 3์ผ
**[openclaw] OpenClaw: Node exec approvals could be replayed across nodes**
Summary exec.approval requests for host=node were not explicitly bound to the target nodeId, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet. Impact An operator approval for a system.run request could be reused across nodes if the request payload did not carry node identity through approval and execution checks. Affected Packages / Versions Package: openclaw (npm) Affected: <= 2026.2.22-2 Fixed: 2026.2.23 (released) Mitigation Upgrade to 2026.2.23 or later once published. Fix Details The fix requires and persists nodeId for host=node approval requests and rejects execution when the approving node binding does not match the invoking node. Fix Commit(s) 4a3f8438e527ac371a67fe7ac68a287f0dbe6063 Release Process Note patched_versions is pre-set to the released version (2026.2.23)...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary exec.approval requests for host=node were not explicitly bound to the target nodeId, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet. Impact An operator approval for a system.run request could be reused across nodes if the request payload did not carry node identity through approval and execution checks. Affected Packages / Versions Package: openclaw (npm) Affected: <= 2026.2.22-2 Fixed: 2026.2.23 (released) Mitigation Upgrade to 2026.2.23 or later once published. Fix Details The fix requires and persists nodeId for host=node approval requests and rejects execution when the approving node binding does not match the invoking node. Fix Commit(s) 4a3f8438e527ac371a67fe7ac68a287f0dbe6063 Release Process Note patched_versions is pre-set to the released version (2026.2.23)...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.