AI Threat Alert AI Threat Alert

GHSA-h43v-27wg-5mf9: OpenClaw: pre-auth signature bypass enables pairing DoS

GHSA-h43v-27wg-5mf9 MEDIUM
Published April 7, 2026
CISO Take

OpenClaw's Nostr DM ingress path accepts and partially processes inbound messages before verifying cryptographic signatures, allowing any unauthenticated remote sender to exhaust shared pairing slots and generate bounded relay and logging overhead (CWE-347). While the impact ceiling is capped — no decryption, no session hijack, no authorization bypass is achievable — the affected package carries 37 cumulative CVEs, a flag that should prompt broader architectural scrutiny of any OpenClaw deployment. No EPSS data or public exploit is available, and the issue is absent from CISA KEV, placing current active exploitation risk as low. Upgrade to openclaw ≥ 2026.3.31 (or the current 2026.4.1 release) immediately; if patching is delayed, implement network-level rate limiting or allowlisting on Nostr DM ingress to restrict which senders can initiate pairing.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk overall, trending low for near-term exploitation. The vulnerability is remotely exploitable with no authentication required and trivial to trigger by sending forged Nostr DM events. However, impact is structurally bounded to resource consumption — no data exfiltration, privilege escalation, or code execution is possible. The 37-CVE history of this package is the more meaningful risk signal: it indicates either an immature security posture or an actively targeted attack surface. Organizations running OpenClaw agents on shared infrastructure face elevated exposure due to pairing capacity exhaustion affecting multiple tenants.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm >= 2026.3.22, < 2026.3.31 2026.3.31

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

  1. Patch immediately: upgrade openclaw to >= 2026.3.31 (fix commit 4ee742174f36b5445703e3b1ef2fbd6ae6700fa4) or the current 2026.4.1 release.
  2. Workaround: if immediate patching is blocked, implement network-level rate limiting or Nostr public-key allowlisting on DM ingress to restrict unauthorized pairing initiators.
  3. Detection: monitor for anomalous spikes in pairing-challenge log entries or relay activity, particularly from unknown or high-volume Nostr public keys.
  4. Given the 37-CVE history of this package, conduct a broader security review of your OpenClaw deployment: evaluate whether the Nostr channel is exposed beyond intended scope and assess whether additional isolation is warranted around agent pairing interfaces.

Classification

DoS Auth Bypass Agent Framework AML.T0029 AML.T0034.000 AML.T0049

Compliance Impact

This CVE is relevant to:

ISO 42001
A.9.4 - AI system security controls
NIST AI RMF
MANAGE 2.2 - Risk response mechanisms
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Technical Details

NVD Description

## Summary Before OpenClaw 2026.3.31, the Nostr DM ingress path could issue pairing challenges before validating the event signature. A forged DM could create a pending pairing entry and trigger a pairing-reply attempt before signature rejection. ## Impact An unauthenticated remote sender could consume shared pairing capacity and trigger bounded relay/logging work on the Nostr channel. This issue did not grant message decryption, pairing approval, or broader authorization bypass. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.3.22, < 2026.3.31` - Patched versions: `>= 2026.3.31` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `4ee742174f36b5445703e3b1ef2fbd6ae6700fa4` — verify inbound DM signatures before pairing replies ## Release Process Note The fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains the fix. Thanks @smaeljaish771 for reporting.

Exploitation Scenario

An adversary sends a high volume of crafted Nostr DM events bearing forged signatures to an OpenClaw instance exposed on the Nostr network. Each message passes initial ingress handling, triggers a pairing-challenge reply, and generates relay and logging activity before the signature is ultimately rejected. By sustaining this flood, the adversary saturates available pairing capacity, preventing legitimate users or peer AI agents from establishing new pairing sessions. In environments where OpenClaw agents coordinate via Nostr-based pairing — for example, multi-agent workflows where agents must pair before exchanging tasks — this disruption could stall agent-to-agent communication during the attack window.

Weaknesses (CWE)

CWE-347 Improper Verification of Cryptographic Signature Primary

References

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed