Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/74091?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/74091?format=api", "purl": "pkg:npm/clawdbot@2026.1.24-3", "type": "npm", "namespace": "", "name": "clawdbot", "version": "2026.1.24-3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2026.1.29", "latest_non_vulnerable_version": "2026.2.14", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50204?format=api", "vulnerability_id": "VCID-3m66-j8ru-gkhq", "summary": "OpenClaw affected by denial of service via unbounded webhook request body buffering\nMultiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28478", "reference_id": "CVE-2026-28478", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28478" }, { "reference_url": "https://github.com/advisories/GHSA-q447-rj3r-2cgh", "reference_id": "GHSA-q447-rj3r-2cgh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q447-rj3r-2cgh" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh", "reference_id": "GHSA-q447-rj3r-2cgh", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh" } ], "fixed_packages": [], "aliases": [ "CVE-2026-28478", "GHSA-q447-rj3r-2cgh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3m66-j8ru-gkhq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50202?format=api", "vulnerability_id": "VCID-6xkm-ym55-2yfp", "summary": "OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks\nBase64-backed media inputs could be decoded into Buffers before enforcing decoded-size budgets. An attacker supplying oversized base64 payloads can force large allocations, causing memory pressure and denial of service.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29612", "reference_id": "CVE-2026-29612", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29612" }, { "reference_url": "https://github.com/advisories/GHSA-w2cg-vxx6-5xjg", "reference_id": "GHSA-w2cg-vxx6-5xjg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w2cg-vxx6-5xjg" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg", "reference_id": "GHSA-w2cg-vxx6-5xjg", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg" } ], "fixed_packages": [], "aliases": [ "CVE-2026-29612", "GHSA-w2cg-vxx6-5xjg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6xkm-ym55-2yfp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50199?format=api", "vulnerability_id": "VCID-73gk-ecqv-tyej", "summary": "OpenClaw Telegram allowlist authorization accepted mutable usernames\nTelegram allowlist authorization could match on `@username` (mutable/recyclable) instead of immutable numeric sender IDs.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28480", "reference_id": "CVE-2026-28480", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28480" }, { "reference_url": "https://github.com/advisories/GHSA-mj5r-hh7j-4gxf", "reference_id": "GHSA-mj5r-hh7j-4gxf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mj5r-hh7j-4gxf" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf", "reference_id": "GHSA-mj5r-hh7j-4gxf", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf" } ], "fixed_packages": [], "aliases": [ "CVE-2026-28480", "GHSA-mj5r-hh7j-4gxf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-73gk-ecqv-tyej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50188?format=api", "vulnerability_id": "VCID-8bxj-nx1j-efc9", "summary": "OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)\nArchive extraction lacked strict resource budgets, allowing high-expansion ZIP/TAR archives to consume excessive CPU/memory/disk during install/update flows.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdea", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdea" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unguarded-archive-extraction-in-extractarchive", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unguarded-archive-extraction-in-extractarchive" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28452", "reference_id": "CVE-2026-28452", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28452" }, { "reference_url": "https://github.com/advisories/GHSA-h89v-j3x9-8wqj", "reference_id": "GHSA-h89v-j3x9-8wqj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h89v-j3x9-8wqj" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj", "reference_id": "GHSA-h89v-j3x9-8wqj", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj" } ], "fixed_packages": [], "aliases": [ "CVE-2026-28452", "GHSA-h89v-j3x9-8wqj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8bxj-nx1j-efc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50205?format=api", "vulnerability_id": "VCID-ack4-vu5k-muaj", "summary": "OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints\nBrowser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26317", "reference_id": "CVE-2026-26317", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26317" }, { "reference_url": "https://github.com/advisories/GHSA-3fqr-4cg8-h96q", "reference_id": "GHSA-3fqr-4cg8-h96q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3fqr-4cg8-h96q" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q", "reference_id": "GHSA-3fqr-4cg8-h96q", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q" } ], "fixed_packages": [], "aliases": [ "CVE-2026-26317", "GHSA-3fqr-4cg8-h96q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ack4-vu5k-muaj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50193?format=api", "vulnerability_id": "VCID-jekq-y7ju-hfdc", "summary": "OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting\nWhen multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28469", "reference_id": "CVE-2026-28469", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28469" }, { "reference_url": "https://github.com/advisories/GHSA-rq6g-px6m-c248", "reference_id": "GHSA-rq6g-px6m-c248", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rq6g-px6m-c248" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248", "reference_id": "GHSA-rq6g-px6m-c248", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248" } ], "fixed_packages": [], "aliases": [ "CVE-2026-28469", "GHSA-rq6g-px6m-c248" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jekq-y7ju-hfdc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50148?format=api", "vulnerability_id": "VCID-nu42-52us-v7gp", "summary": "OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch\nGoogle Chat allowlisting supports matching by sender email in addition to immutable sender resource name (`users/<id>`). This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/c8424bf29a921e25663b29f308640b3d91a49432", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/commit/c8424bf29a921e25663b29f308640b3d91a49432" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/16243", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/pull/16243" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://github.com/advisories/GHSA-chm2-m3w2-wcxm", "reference_id": "GHSA-chm2-m3w2-wcxm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-chm2-m3w2-wcxm" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm", "reference_id": "GHSA-chm2-m3w2-wcxm", "reference_type": "", "scores": [], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm" } ], "fixed_packages": [], "aliases": [ "GHSA-chm2-m3w2-wcxm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nu42-52us-v7gp" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24-3" }