Delivery queue recovery could lose group tool-policy context for media replay.
openclaw>= 2026.4.10 < 2026.4.14>= 2026.4.14Recovered queued outbound media could be replayed without the original session context needed to enforce group tool policy, weakening channel media restrictions after restart/recovery.
The fix persists and replays the relevant session context with delivery queue entries so recovered media dispatch goes through the same policy checks.
The issue was fixed in #66025. The first stable tag containing the fix is v2026.4.14, and [email protected] includes the fix.
48aae82bbc19ba8b0741e61a08063eb0d1df464eUsers should upgrade to openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix.
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
| Score | Percentile |
|---|---|
| 0.03% | 9.02% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 2.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-r77c-2cmr-7p47 ↗ |
| CVE | CVE-2026-43583 ↗ |
| CWE id | Name |
|---|---|
| CWE-862 | Missing Authorization |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | >= 2026.4.10, < 2026.4.14 | 2026.4.14 | — |