Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/openclaw@2026.4.22-beta.1
Typenpm
Namespace
Nameopenclaw
Version2026.4.22-beta.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2026.4.23
Latest_non_vulnerable_version2026.4.23
Affected_by_vulnerabilities
0
url VCID-4316-7q9a-xuhx
vulnerability_id VCID-4316-7q9a-xuhx
summary 
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
## Summary

OpenClaw webhooks allowed route secrets to be backed by `SecretRef` values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran `openclaw secrets reload`, the previous resolved webhook secret could remain valid until the plugin or gateway restarted.

## Impact

An attacker who already had a previously valid webhook route secret could continue authenticating webhook requests after the operator rotated the secret and reloaded secrets. This weakened credential rotation for webhook routes and could allow continued invocation of the configured webhook task flow until restart.

## Affected Packages / Versions

- Package: `openclaw` on npm
- Affected: versions before `2026.4.23`
- Fixed: `2026.4.23`
- Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23`

## Fix

Webhook route authentication now resolves `SecretRef`-backed route secrets on each request. A rotated secret becomes effective after `openclaw secrets reload` without requiring a gateway or plugin restart, and the old secret is rejected.

## Fix Commit(s)

- `36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa` (`fix(webhooks): reload route secrets per request`)

## Severity

Severity remains `medium`. The attack requires possession of a previously valid route secret, but the stale credential can continue to authorize webhook actions after rotation.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-45005
reference_id
reference_type
scores
0
value 0.00056
scoring_system epss
scoring_elements 0.17844
published_at 2026-06-07T12:55:00Z
1
value 0.00056
scoring_system epss
scoring_elements 0.17878
published_at 2026-06-06T12:55:00Z
2
value 0.00056
scoring_system epss
scoring_elements 0.17882
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-45005
1
reference_url https://github.com/openclaw/openclaw
reference_id
reference_type
scores
0
value 6.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw
2
reference_url https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa
reference_id
reference_type
scores
0
value 6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
1
value 6.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
2
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T16:10:40Z/
url https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa
3
reference_url https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9
reference_id
reference_type
scores
0
value 6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
1
value 6.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T16:10:40Z/
url https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-45005
reference_id
reference_type
scores
0
value 6.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-45005
5
reference_url https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation
reference_id
reference_type
scores
0
value 6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
1
value 6.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
2
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T16:10:40Z/
url https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation
6
reference_url https://github.com/advisories/GHSA-q8ff-7ffm-m3r9
reference_id GHSA-q8ff-7ffm-m3r9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q8ff-7ffm-m3r9
fixed_packages
0
url pkg:npm/openclaw@2026.4.23
purl pkg:npm/openclaw@2026.4.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.23
aliases CVE-2026-45005, GHSA-q8ff-7ffm-m3r9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4316-7q9a-xuhx
1
url VCID-4u3z-rs45-gbhe
vulnerability_id VCID-4u3z-rs45-gbhe
summary 
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts
## Summary
Workspace dotenv files cannot override connector endpoint hosts.

## Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22

## Impact
A workspace .env file could set connector endpoint variables for Matrix, Mattermost, IRC, or Synology-related connectors and redirect runtime traffic away from the operator-configured endpoint.

## Fix
Workspace .env loading now blocks those endpoint variables, including per-account Matrix homeserver suffixes and generic base-url/API-host style overrides. Trusted global runtime dotenv loading remains separate.

## Fix Commit(s)
- 0623079e98abf7202591f1b04a89755eb7ec9272

## Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.

OpenClaw thanks @qi-scape for reporting.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-45003
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01337
published_at 2026-06-05T12:55:00Z
1
value 0.00011
scoring_system epss
scoring_elements 0.01342
published_at 2026-06-07T12:55:00Z
2
value 0.00011
scoring_system epss
scoring_elements 0.01341
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-45003
1
reference_url https://github.com/openclaw/openclaw
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw
2
reference_url https://github.com/openclaw/openclaw/commit/0623079e98abf7202591f1b04a89755eb7ec9272
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value 4.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:02Z/
url https://github.com/openclaw/openclaw/commit/0623079e98abf7202591f1b04a89755eb7ec9272
3
reference_url https://github.com/openclaw/openclaw/security/advisories/GHSA-55cf-xx38-4p9p
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 4.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:02Z/
url https://github.com/openclaw/openclaw/security/advisories/GHSA-55cf-xx38-4p9p
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-45003
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-45003
5
reference_url https://www.vulncheck.com/advisories/openclaw-connector-endpoint-host-override-via-workspace-dotenv-files
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value 4.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:02Z/
url https://www.vulncheck.com/advisories/openclaw-connector-endpoint-host-override-via-workspace-dotenv-files
6
reference_url https://github.com/advisories/GHSA-55cf-xx38-4p9p
reference_id GHSA-55cf-xx38-4p9p
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-55cf-xx38-4p9p
fixed_packages
0
url pkg:npm/openclaw@2026.4.22
purl pkg:npm/openclaw@2026.4.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4316-7q9a-xuhx
1
vulnerability VCID-dv5s-pvw1-a7fu
2
vulnerability VCID-ye4t-n6r3-67ab
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22
aliases CVE-2026-45003, GHSA-55cf-xx38-4p9p
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4u3z-rs45-gbhe
2
url VCID-dv5s-pvw1-a7fu
vulnerability_id VCID-dv5s-pvw1-a7fu
summary 
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution
## Summary

OpenClaw's bundled plugin setup resolver could fall back to `process.cwd()` while resolving provider setup metadata. If a user ran an OpenClaw command from an attacker-controlled repository containing `extensions/<plugin>/setup-api.js`, OpenClaw could load and execute that JavaScript during ordinary provider/model status resolution.

## Impact

This is arbitrary JavaScript execution in the OpenClaw process under the current user account. A malicious repository could run code when the user executed commands such as provider/model inspection from that directory. The issue does not require gateway network exposure, but it does require user interaction: the user must run OpenClaw from a directory containing the attacker-controlled setup file.

## Affected Packages / Versions

- Package: `openclaw` on npm
- Affected: versions before `2026.4.23`
- Fixed: `2026.4.23`
- Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23`

## Fix

OpenClaw now resolves bundled setup fallbacks only from the canonical package/repository root and no longer includes `process.cwd()` as a trusted setup-api search root. A regression test verifies that a workspace-local `extensions/<plugin>/setup-api.js` is not loaded through provider setup resolution.

## Fix Commit(s)

- `993781e6e6eaf50f033cfc3e3bf4f47059740707` (`fix(plugins): ignore cwd setup-api fallback`)

## Severity

Severity remains `high` because successful exploitation allows arbitrary code execution under the user running OpenClaw. The CVSS vector is local/user-interaction scoped rather than network-only because the victim must run OpenClaw from an attacker-controlled directory.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-45004
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.0286
published_at 2026-06-05T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02815
published_at 2026-06-07T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02869
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-45004
1
reference_url https://github.com/openclaw/openclaw
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw
2
reference_url https://github.com/openclaw/openclaw/commit/993781e6e6eaf50f033cfc3e3bf4f47059740707
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value 8.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:30:14Z/
url https://github.com/openclaw/openclaw/commit/993781e6e6eaf50f033cfc3e3bf4f47059740707
3
reference_url https://github.com/openclaw/openclaw/security/advisories/GHSA-r39h-4c2p-3jxp
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:30:14Z/
url https://github.com/openclaw/openclaw/security/advisories/GHSA-r39h-4c2p-3jxp
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-45004
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-45004
5
reference_url https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-setup-api-js-in-current-working-directory
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value 8.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:30:14Z/
url https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-setup-api-js-in-current-working-directory
6
reference_url https://github.com/advisories/GHSA-r39h-4c2p-3jxp
reference_id GHSA-r39h-4c2p-3jxp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r39h-4c2p-3jxp
fixed_packages
0
url pkg:npm/openclaw@2026.4.23
purl pkg:npm/openclaw@2026.4.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.23
aliases CVE-2026-45004, GHSA-r39h-4c2p-3jxp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dv5s-pvw1-a7fu
3
url VCID-e25p-j5ed-yqfz
vulnerability_id VCID-e25p-j5ed-yqfz
summary 
OpenClaw's Gateway Control UI bootstrap config required Gateway auth
## Summary
Gateway Control UI bootstrap config required Gateway auth.

## Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22

## Impact
When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions.

## Fix
The bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling.

## Fix Commit(s)
- 2321d67263bc710e357644d59f746b08d891051b

## Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.

OpenClaw thanks @zsxsoft for reporting.
references
0
reference_url https://github.com/openclaw/openclaw
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw
1
reference_url https://github.com/openclaw/openclaw/commit/2321d67263bc710e357644d59f746b08d891051b
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw/commit/2321d67263bc710e357644d59f746b08d891051b
2
reference_url https://github.com/openclaw/openclaw/security/advisories/GHSA-93rg-2xm5-2p9v
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw/security/advisories/GHSA-93rg-2xm5-2p9v
3
reference_url https://github.com/advisories/GHSA-93rg-2xm5-2p9v
reference_id GHSA-93rg-2xm5-2p9v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-93rg-2xm5-2p9v
fixed_packages
0
url pkg:npm/openclaw@2026.4.22
purl pkg:npm/openclaw@2026.4.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4316-7q9a-xuhx
1
vulnerability VCID-dv5s-pvw1-a7fu
2
vulnerability VCID-ye4t-n6r3-67ab
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22
aliases GHSA-93rg-2xm5-2p9v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e25p-j5ed-yqfz
4
url VCID-jshg-1pb2-wbak
vulnerability_id VCID-jshg-1pb2-wbak
summary 
OpenClaw validates Zalo outbound photo URLs through the SSRF guard
## Summary
Zalo outbound photo URLs are validated through the SSRF guard.

## Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22

## Impact
The Zalo plugin could forward an attacker-controlled outbound photo URL to the Zalo Bot API without first applying OpenClaw's SSRF validation policy.

## Fix
Zalo sendPhoto now parses and validates outbound photo URLs with the shared SSRF hostname policy before posting to Zalo, and media-reply paths route through the guarded outbound media helpers.

## Fix Commit(s)
- a65eb1b864b7630c1242a82de9e5799b80583c3f

## Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.

OpenClaw thanks @foodlook for reporting.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44116
reference_id
reference_type
scores
0
value 0.00044
scoring_system epss
scoring_elements 0.13839
published_at 2026-06-05T12:55:00Z
1
value 0.00044
scoring_system epss
scoring_elements 0.13842
published_at 2026-06-06T12:55:00Z
2
value 0.00048
scoring_system epss
scoring_elements 0.1519
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44116
1
reference_url https://github.com/openclaw/openclaw
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw
2
reference_url https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:59:02Z/
url https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f
3
reference_url https://github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2r
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:59:02Z/
url https://github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2r
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44116
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44116
5
reference_url https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalo-photo-url-validation
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:59:02Z/
url https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalo-photo-url-validation
6
reference_url https://github.com/advisories/GHSA-2hh7-c75g-qj2r
reference_id GHSA-2hh7-c75g-qj2r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2hh7-c75g-qj2r
fixed_packages
0
url pkg:npm/openclaw@2026.4.22
purl pkg:npm/openclaw@2026.4.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4316-7q9a-xuhx
1
vulnerability VCID-dv5s-pvw1-a7fu
2
vulnerability VCID-ye4t-n6r3-67ab
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22
aliases CVE-2026-44116, GHSA-2hh7-c75g-qj2r
risk_score 3.9
exploitability 0.5
weighted_severity 7.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jshg-1pb2-wbak
5
url VCID-kcy2-a98b-uyg7
vulnerability_id VCID-kcy2-a98b-uyg7
summary 
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs
## Summary
Exec allowlist analysis rejects shell expansion in unquoted heredocs


## Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22

## Impact
An allowlisted command containing an unquoted heredoc could hide shell expansion in the heredoc body. That could make the approved command text look safer than what the shell would evaluate at runtime.

## Fix
The exec command analyzer now tracks heredoc bodies, rejects unquoted heredoc expansion tokens and continuation-splice bypasses, and preserves quoted heredocs and literal safe text.

## Fix Commit(s)
- b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5

## Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.

Thanks @VladimirEliTokarev for reporting.
references
0
reference_url https://github.com/openclaw/openclaw
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw
1
reference_url https://github.com/openclaw/openclaw/commit/b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw/commit/b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5
2
reference_url https://github.com/openclaw/openclaw/security/advisories/GHSA-x3h8-jrgh-p8jx
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw/security/advisories/GHSA-x3h8-jrgh-p8jx
3
reference_url https://github.com/advisories/GHSA-x3h8-jrgh-p8jx
reference_id GHSA-x3h8-jrgh-p8jx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x3h8-jrgh-p8jx
fixed_packages
0
url pkg:npm/openclaw@2026.4.22
purl pkg:npm/openclaw@2026.4.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4316-7q9a-xuhx
1
vulnerability VCID-dv5s-pvw1-a7fu
2
vulnerability VCID-ye4t-n6r3-67ab
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22
aliases GHSA-x3h8-jrgh-p8jx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kcy2-a98b-uyg7
6
url VCID-ry1r-br3q-2uaw
vulnerability_id VCID-ry1r-br3q-2uaw
summary 
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
## Summary
MCP loopback owner context is derived from server-issued bearer tokens.

## Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22

## Impact
The loopback MCP path accepted spoofable owner-context metadata from request headers, which could allow a non-owner loopback client to present itself as owner for owner-gated operations.

## Fix
The MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request. The spoofable sender-owner header is no longer emitted or trusted.

## Fix Commit(s)
- 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19

## Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.

OpenClaw thanks @VladimirEliTokarev for reporting.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44118
reference_id
reference_type
scores
0
value 0.00012
scoring_system epss
scoring_elements 0.01838
published_at 2026-06-05T12:55:00Z
1
value 0.00012
scoring_system epss
scoring_elements 0.01843
published_at 2026-06-06T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02646
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44118
1
reference_url https://github.com/openclaw/openclaw
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw
2
reference_url https://github.com/openclaw/openclaw/commit/3cb1a56bfc9579a0f2336f9cfa12a8a744332a19
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T17:21:33Z/
url https://github.com/openclaw/openclaw/commit/3cb1a56bfc9579a0f2336f9cfa12a8a744332a19
3
reference_url https://github.com/openclaw/openclaw/security/advisories/GHSA-r6xh-pqhr-v4xh
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T17:21:33Z/
url https://github.com/openclaw/openclaw/security/advisories/GHSA-r6xh-pqhr-v4xh
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44118
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44118
5
reference_url https://www.vulncheck.com/advisories/openclaw-owner-context-spoofing-via-bearer-token-header
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T17:21:33Z/
url https://www.vulncheck.com/advisories/openclaw-owner-context-spoofing-via-bearer-token-header
6
reference_url https://github.com/advisories/GHSA-r6xh-pqhr-v4xh
reference_id GHSA-r6xh-pqhr-v4xh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r6xh-pqhr-v4xh
fixed_packages
0
url pkg:npm/openclaw@2026.4.22
purl pkg:npm/openclaw@2026.4.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4316-7q9a-xuhx
1
vulnerability VCID-dv5s-pvw1-a7fu
2
vulnerability VCID-ye4t-n6r3-67ab
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22
aliases CVE-2026-44118, GHSA-r6xh-pqhr-v4xh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ry1r-br3q-2uaw
7
url VCID-t2ve-xemk-mqa9
vulnerability_id VCID-t2ve-xemk-mqa9
summary 
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root
## Summary
OpenShell FS bridge writes stay pinned to the sandbox mount root 

## Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22

## Impact
A time-of-check/time-of-use race around OpenShell sandbox filesystem writes could let a symlink swap redirect a write outside the intended local mount root.

## Fix
OpenShell write paths now validate the canonical target against the mount root, reject unsafe symlink parents and symlink leaves for writes, and use root-scoped write helpers before syncing to the remote sandbox.

## Fix Commit(s)
- 7be82d4fd1193bcb7e44ee38838f00bf924ffa76

## Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.

Thanks @VladimirEliTokarev for reporting.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44112
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.09643
published_at 2026-06-06T12:55:00Z
1
value 0.00032
scoring_system epss
scoring_elements 0.09624
published_at 2026-06-05T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.11223
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44112
1
reference_url https://github.com/openclaw/openclaw
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw
2
reference_url https://github.com/openclaw/openclaw/commit/7be82d4fd1193bcb7e44ee38838f00bf924ffa76
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
2
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
3
value 8.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T17:25:18Z/
url https://github.com/openclaw/openclaw/commit/7be82d4fd1193bcb7e44ee38838f00bf924ffa76
3
reference_url https://github.com/openclaw/openclaw/security/advisories/GHSA-wppj-c6mr-83jj
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
4
value 8.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H
5
value MODERATE
scoring_system generic_textual
scoring_elements
6
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T17:25:18Z/
url https://github.com/openclaw/openclaw/security/advisories/GHSA-wppj-c6mr-83jj
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44112
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44112
5
reference_url https://www.vulncheck.com/advisories/openclaw-symlink-swap-race-condition-in-openshell-fs-bridge-writes
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
2
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
3
value 8.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T17:25:18Z/
url https://www.vulncheck.com/advisories/openclaw-symlink-swap-race-condition-in-openshell-fs-bridge-writes
6
reference_url https://github.com/advisories/GHSA-wppj-c6mr-83jj
reference_id GHSA-wppj-c6mr-83jj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wppj-c6mr-83jj
fixed_packages
0
url pkg:npm/openclaw@2026.4.22
purl pkg:npm/openclaw@2026.4.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4316-7q9a-xuhx
1
vulnerability VCID-dv5s-pvw1-a7fu
2
vulnerability VCID-ye4t-n6r3-67ab
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22
aliases CVE-2026-44112, GHSA-wppj-c6mr-83jj
risk_score 4.3
exploitability 0.5
weighted_severity 8.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t2ve-xemk-mqa9
8
url VCID-xj73-kszs-yygp
vulnerability_id VCID-xj73-kszs-yygp
summary 
OpenClaw's ACP child sessions inherit subagent security envelope constraints
## Summary
ACP child sessions inherit subagent security envelope constraints.

## Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22

## Impact
A restricted subagent spawning an ACP child session could fail to carry forward subagent-only constraints such as depth, child-count limits, control scope, or target-agent restrictions.

## Fix
ACP spawn now resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies the inherited control scope to child ACP sessions.

## Fix Commit(s)
- 31160dc069b7cc5d833b39c53736a41ad3befda2

## Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.

OpenClaw thanks @zsxsoft, @qclawer, and @KeenSecurityLab for reporting.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44997
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.08411
published_at 2026-06-05T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.08403
published_at 2026-06-07T12:55:00Z
2
value 0.00028
scoring_system epss
scoring_elements 0.08423
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44997
1
reference_url https://github.com/openclaw/openclaw
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw
2
reference_url https://github.com/openclaw/openclaw/commit/31160dc069b7cc5d833b39c53736a41ad3befda2
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:34Z/
url https://github.com/openclaw/openclaw/commit/31160dc069b7cc5d833b39c53736a41ad3befda2
3
reference_url https://github.com/openclaw/openclaw/security/advisories/GHSA-q3jj-46pq-826r
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:34Z/
url https://github.com/openclaw/openclaw/security/advisories/GHSA-q3jj-46pq-826r
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44997
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44997
5
reference_url https://www.vulncheck.com/advisories/openclaw-security-envelope-constraint-bypass-in-acp-child-sessions
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:34Z/
url https://www.vulncheck.com/advisories/openclaw-security-envelope-constraint-bypass-in-acp-child-sessions
6
reference_url https://github.com/advisories/GHSA-q3jj-46pq-826r
reference_id GHSA-q3jj-46pq-826r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q3jj-46pq-826r
fixed_packages
0
url pkg:npm/openclaw@2026.4.22
purl pkg:npm/openclaw@2026.4.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4316-7q9a-xuhx
1
vulnerability VCID-dv5s-pvw1-a7fu
2
vulnerability VCID-ye4t-n6r3-67ab
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22
aliases CVE-2026-44997, GHSA-q3jj-46pq-826r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xj73-kszs-yygp
9
url VCID-ye4t-n6r3-67ab
vulnerability_id VCID-ye4t-n6r3-67ab
summary 
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes
## Summary

The agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations.

## Impact

A prompt-injected or otherwise compromised model running with access to the owner-only `gateway` tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config.

## Affected Packages / Versions

- Package: `openclaw` on npm
- Affected: versions before `2026.4.23`
- Fixed: `2026.4.23`
- Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23`

## Fix

OpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven `gateway config.apply` and `gateway config.patch` now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked.

## Fix Commit(s)

- `bceda6089aa7b3695cc7696b43c61ae3d01bb0ec` (`fix(gateway): fail closed on runtime config edits`)

## Severity

Severity remains `high`. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation.
references
0
reference_url https://github.com/openclaw/openclaw
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw
1
reference_url https://github.com/openclaw/openclaw/commit/bceda6089aa7b3695cc7696b43c61ae3d01bb0ec
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw/commit/bceda6089aa7b3695cc7696b43c61ae3d01bb0ec
2
reference_url https://github.com/openclaw/openclaw/security/advisories/GHSA-cwj3-vqpp-pmxr
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw/security/advisories/GHSA-cwj3-vqpp-pmxr
3
reference_url https://github.com/advisories/GHSA-cwj3-vqpp-pmxr
reference_id GHSA-cwj3-vqpp-pmxr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cwj3-vqpp-pmxr
fixed_packages
0
url pkg:npm/openclaw@2026.4.23
purl pkg:npm/openclaw@2026.4.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.23
aliases GHSA-cwj3-vqpp-pmxr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ye4t-n6r3-67ab
10
url VCID-ymmv-2qmq-6kap
vulnerability_id VCID-ymmv-2qmq-6kap
summary 
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes
## Summary
OpenShell FS bridge reads pin and verify the opened file before returning bytes 

## Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22

## Impact
A time-of-check/time-of-use race around OpenShell sandbox filesystem reads could let a symlink swap cause bytes outside the intended mount root to be read.

## Fix
OpenShell reads now open the file with no-follow semantics where available, validate the pinned file descriptor against the canonical mount root, reject unsafe hardlink/symlink cases, and use a strict fallback ancestor walk on platforms without fd-path readback.

## Fix Commit(s)
- 95119017c847c737bd113f0bff728c4666d79c45

## Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.

Thanks @VladimirEliTokarev for reporting.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44113
reference_id
reference_type
scores
0
value 0.00033
scoring_system epss
scoring_elements 0.09994
published_at 2026-06-06T12:55:00Z
1
value 0.00033
scoring_system epss
scoring_elements 0.09978
published_at 2026-06-05T12:55:00Z
2
value 0.00038
scoring_system epss
scoring_elements 0.11564
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44113
1
reference_url https://github.com/openclaw/openclaw
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/openclaw/openclaw
2
reference_url https://github.com/openclaw/openclaw/commit/95119017c847c737bd113f0bff728c4666d79c45
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
2
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:04:19Z/
url https://github.com/openclaw/openclaw/commit/95119017c847c737bd113f0bff728c4666d79c45
3
reference_url https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3g-6xhh-rg6p
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
4
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
5
value MODERATE
scoring_system generic_textual
scoring_elements
6
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:04:19Z/
url https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3g-6xhh-rg6p
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44113
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44113
5
reference_url https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-race-condition-in-openshell-fs-bridge
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
2
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:04:19Z/
url https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-race-condition-in-openshell-fs-bridge
6
reference_url https://github.com/advisories/GHSA-5h3g-6xhh-rg6p
reference_id GHSA-5h3g-6xhh-rg6p
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5h3g-6xhh-rg6p
fixed_packages
0
url pkg:npm/openclaw@2026.4.22
purl pkg:npm/openclaw@2026.4.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4316-7q9a-xuhx
1
vulnerability VCID-dv5s-pvw1-a7fu
2
vulnerability VCID-ye4t-n6r3-67ab
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22
aliases CVE-2026-44113, GHSA-5h3g-6xhh-rg6p
risk_score 3.8
exploitability 0.5
weighted_severity 7.5
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ymmv-2qmq-6kap
Fixing_vulnerabilities
Risk_score4.3
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22-beta.1