DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-PW7H-9G6P-C378: GHSA-pw7h-9g6p-c378: Authorization Bypass and Resource Exhaustion in OpenClaw Tlon Provider

#security #cve #cybersecurity #ghsa

GHSA-pw7h-9g6p-c378: Authorization Bypass and Resource Exhaustion in OpenClaw Tlon Provider

Vulnerability ID: GHSA-PW7H-9G6P-C378
CVSS Score: 7.5
Published: 2026-03-26

The OpenClaw Tlon provider extension contains two logic flaws leading to authorization bypass and uncontrolled resource consumption. A falsy evaluation of array lengths prevents the application of empty allowlists, while improper operation ordering allows unauthenticated users to trigger expensive citation processing.

TL;DR

A logic error in OpenClaw's Tlon extension prevents the revocation of access permissions via empty allowlists, and a design flaw permits unauthenticated users to trigger expensive network and processing tasks.

Technical Details

  • CWE ID: CWE-863, CWE-400
  • Attack Vector: Network
  • Authentication Required: None (for resource exhaustion)
  • Impact: Authorization Bypass, Denial of Service
  • Exploit Status: None documented
  • Fix Commit: 3cbf932413e41d1836cb91aed1541a28a3122f93

Affected Systems

  • OpenClaw
  • OpenClaw extensions/tlon
  • OpenClaw extensions/tlon: < patched version (Fixed in: Commit 3cbf932413e41d1836cb91aed1541a28a3122f93)

Code Analysis

Commit: 3cbf932

Fix allowlist reconciliation bug and reorder citation resolution to prevent resource exhaustion.

Mitigation Strategies

  • Update OpenClaw to a version containing the fix commit 3cbf932413e41d1836cb91aed1541a28a3122f93.
  • Implement rate limiting at the network boundary to mitigate unauthenticated message floods.
  • Enforce strict schema validation on configuration objects to prevent null injection.
  • Use dummy values (e.g., a non-existent user string) instead of empty arrays when manual revocation is required on unpatched systems.

Remediation Steps:

  1. Identify the deployed version of the OpenClaw framework and the Tlon extension.
  2. Fetch the latest release or apply commit 3cbf932413e41d1836cb91aed1541a28a3122f93 to the local codebase.
  3. Rebuild and restart the OpenClaw application service.
  4. Verify the new authorization logic by explicitly setting an empty allowlist and confirming access is denied for previous users.
  5. Monitor application logs for TypeError exceptions related to null array evaluation.

References

Read the full report for GHSA-PW7H-9G6P-C378 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)