GHSA-33RQ-M5X2-FVGF

Vulnerability from github – Published: 2026-02-17 21:37 – Updated: 2026-03-11 20:41
VLAI?
Summary
OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline
Details

Summary

In the optional Twitch channel plugin (extensions/twitch), allowFrom is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If allowedRoles is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot could reach the agent dispatch pipeline.

Scope note: This only affects deployments that installed and enabled the Twitch plugin. Core OpenClaw installs that do not install/enable the Twitch plugin are not impacted.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: >= 2026.1.29, < 2026.2.1
  • Fixed: >= 2026.2.1

Details

Affected component: Twitch plugin access control (extensions/twitch/src/access-control.ts).

Problematic logic in checkTwitchAccessControl():

  • When allowFrom was configured, the code returned allowed: true for members but did not return allowed: false for non-members, so execution fell through.
  • If allowedRoles was unset or empty, the function returned allowed: true by default, even when allowFrom was configured.

Proof of Concept (PoC)

  1. Install and enable the Twitch plugin.
  2. Configure an allowFrom list, but do not set allowedRoles (or set it to an empty list).
  3. From a different Twitch account whose user ID is NOT in allowFrom, send a message that mentions the bot (for example @<botname> hello).
  4. Observe the message is processed and can trigger agent dispatch/replies despite not being allowlisted.

Impact

Authorization bypass for operators who relied on allowFrom to restrict who can invoke the bot in Twitch chat. Depending on configuration (tools, routing, model costs), this could lead to unintended actions/responses and resource or cost exhaustion.

Fix Commit(s)

  • 8c7901c984866a776eb59662dc9d8b028de4f0d0

Workaround

Upgrade to openclaw >= 2026.2.1.

Thanks @MegaManSec (https://joshua.hu) of AISLE Research Team for reporting.

Severity ?
7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.1.29"
            },
            {
              "fixed": "2026.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:37:55Z",
    "nvd_published_at": "2026-03-05T22:16:16Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nIn the optional Twitch channel plugin (`extensions/twitch`), `allowFrom` is documented as a hard allowlist of Twitch user IDs, but it was not enforced as a hard gate. If `allowedRoles` is unset or empty, the access control path defaulted to allow, so any Twitch user who could mention the bot could reach the agent dispatch pipeline.\n\n**Scope note:** This only affects deployments that installed and enabled the Twitch plugin. Core OpenClaw installs that do not install/enable the Twitch plugin are not impacted.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `\u003e= 2026.1.29, \u003c 2026.2.1`\n- Fixed: `\u003e= 2026.2.1`\n\n### Details\n\nAffected component: Twitch plugin access control (`extensions/twitch/src/access-control.ts`).\n\nProblematic logic in `checkTwitchAccessControl()`:\n\n- When `allowFrom` was configured, the code returned `allowed: true` for members but did not return `allowed: false` for non-members, so execution fell through.\n- If `allowedRoles` was unset or empty, the function returned `allowed: true` by default, even when `allowFrom` was configured.\n\n### Proof of Concept (PoC)\n\n1. Install and enable the Twitch plugin.\n2. Configure an `allowFrom` list, but do not set `allowedRoles` (or set it to an empty list).\n3. From a different Twitch account whose user ID is NOT in `allowFrom`, send a message that mentions the bot (for example `@\u003cbotname\u003e hello`).\n4. Observe the message is processed and can trigger agent dispatch/replies despite not being allowlisted.\n\n### Impact\n\nAuthorization bypass for operators who relied on `allowFrom` to restrict who can invoke the bot in Twitch chat. Depending on configuration (tools, routing, model costs), this could lead to unintended actions/responses and resource or cost exhaustion.\n\n### Fix Commit(s)\n\n- `8c7901c984866a776eb59662dc9d8b028de4f0d0`\n\n### Workaround\n\nUpgrade to `openclaw \u003e= 2026.2.1`.\n\nThanks @MegaManSec (https://joshua.hu) of [AISLE Research Team](https://aisle.com/) for reporting.",
  "id": "GHSA-33rq-m5x2-fvgf",
  "modified": "2026-03-11T20:41:24Z",
  "published": "2026-02-17T21:37:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-33rq-m5x2-fvgf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/8c7901c984866a776eb59662dc9d8b028de4f0d0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.1"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-twitch-plugin-allowfrom-access-control"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.