Description
OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairing entries and trigger pairing-reply attempts, consuming shared pairing capacity and triggering bounded relay and logging work on the Nostr channel.
Published: 2026-04-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Signature verification bypass enabling forged Nostr DM pairing entries and potential resource exhaustion
Action: Upgrade
AI Analysis

Impact

OpenClaw releases prior to 2026.3.31 allow an attacker to send forged Nostr direct messages because the system fails to validate the event signature before processing pairing challenges. This flaw enables the creation of pending pairing entries without proper authorization, giving the attacker a foothold to flood the Nostr channel with unsolicited pairing‑reply attempts. The consequence is consumption of shared pairing capacity and execution of bound relay and logging workloads, which could degrade system performance or lead to denial of service for legitimate users.

Affected Systems

OpenClaw application versions 2026.3.22 through 2026.3.30 are affected. The vulnerability applies broadly to all deployments of that product built with the mentioned versions and built on a Node.js runtime with the compound Nostr integration described by the CPE string.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate impact with limited scope if the attacker can reach the Nostr ingress path. No EPSS data is available, so the exploitation probability remains unknown, and the issue is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated remote request to the Nostr DM endpoint, exploiting the missing signature check to inject forged messages.

Generated by OpenCVE AI on April 21, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.3.31 or later, which incorporates a signature verification fix for the Nostr DM ingress
  • Disable or quarantine the Nostr DM feature if an upgrade cannot be applied immediately, preventing pairing challenge processing
  • Implement rate limiting or capacity controls on the Nostr channel to mitigate flooding from forged pairing attempts
  • Review relay and logging configuration to ensure bounded resource usage and monitor for anomalous log spikes that may indicate exploitation

Generated by OpenCVE AI on April 21, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h43v-27wg-5mf9 OpenClaw: Forged Nostr DMs could create pairing state before signature verification
History

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairing entries and trigger pairing-reply attempts, consuming shared pairing capacity and triggering bounded relay and logging work on the Nostr channel.
Title OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-347
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-21T13:33:53.554Z

Reserved: 2026-04-20T14:01:13.151Z

Link: CVE-2026-41301

cve-icon Vulnrichment

Updated: 2026-04-21T13:33:31.707Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T00:16:30.873

Modified: 2026-04-27T16:56:50.063

Link: CVE-2026-41301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T15:45:07Z

Weaknesses