Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/978321?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/978321?format=api", "purl": "pkg:npm/openclaw@2026.3.23-1", "type": "npm", "namespace": "", "name": "openclaw", "version": "2026.3.23-1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2026.4.23", "latest_non_vulnerable_version": "2026.4.23", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359970?format=api", "vulnerability_id": "VCID-1cbb-8u8n-dqa8", "summary": "Duplicate Advisory: OpenClaw: Plivo V2 verified replay identity drifts on query-only variants\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-cg6c-q2hx-69h7. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35618", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35618" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7", "reference_id": "GHSA-cg6c-q2hx-69h7", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7" }, { "reference_url": "https://github.com/advisories/GHSA-j56c-wpqm-h24x", "reference_id": "GHSA-j56c-wpqm-h24x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j56c-wpqm-h24x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373851?format=api", "purl": "pkg:npm/openclaw@2026.3.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2d6p-8jxd-1yc4" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4n9g-ymdq-6fhd" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4srt-x1xb-xqa8" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-54js-czwp-jkce" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5k9d-n6kg-g3bn" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bj4f-1qy4-33g7" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c723-znew-ebhm" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-epaf-29e7-kue8" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-qx6n-dk9c-8yd3" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-ub5p-bp37-hff5" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-w49b-cbcg-abat" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-ye9d-bzdx-bbeq" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.23" } ], "aliases": [ "GHSA-j56c-wpqm-h24x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1cbb-8u8n-dqa8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65586?format=api", "vulnerability_id": "VCID-1f2r-y41u-y7b4", "summary": "OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43574", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11403", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11359", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11393", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11333", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43574" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/65714", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/65714" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43574", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43574" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd", "reference_id": "0a105c0900de701d2ee9f1abc96b017afbd0afdd", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:19:51Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd" }, { "reference_url": "https://github.com/advisories/GHSA-49cg-279w-m73x", "reference_id": "GHSA-49cg-279w-m73x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-49cg-279w-m73x" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x", "reference_id": "GHSA-49cg-279w-m73x", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:19:51Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists", "reference_id": "openclaw-improper-authorization-via-empty-approver-lists", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:19:51Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373522?format=api", "purl": "pkg:npm/openclaw@2026.4.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12" } ], "aliases": [ "CVE-2026-43574", "GHSA-49cg-279w-m73x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1f2r-y41u-y7b4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360149?format=api", "vulnerability_id": "VCID-1gsf-j6g3-4fd7", "summary": "OpenClaw: Silent privilege escalation via gateway shared-auth reconnect\n## Summary\n\nGateway local shared-auth reconnect silently widens paired device scope from operator.read to operator.admin and reach node RCE\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nSilent local shared-auth reconnects could previously auto-approve `scope-upgrade` requests and widen a paired device from `operator.read` to `operator.admin`. Commit `81ebc7e0344fd19c85778e883bad45e2da972229` blocks silent reconnect scope upgrades so widened scopes require an explicit pairing approval instead of an implicit local reconnect path.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `81ebc7e0344fd19c85778e883bad45e2da972229`.\n\n## Fix Commit(s)\n\n- `81ebc7e0344fd19c85778e883bad45e2da972229`", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-fqw4-mph7-2vr8", "reference_id": "GHSA-fqw4-mph7-2vr8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fqw4-mph7-2vr8" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fqw4-mph7-2vr8", "reference_id": "GHSA-fqw4-mph7-2vr8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fqw4-mph7-2vr8" } ], "fixed_packages": [], "aliases": [ "GHSA-fqw4-mph7-2vr8" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1gsf-j6g3-4fd7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65519?format=api", "vulnerability_id": "VCID-1kns-bfm7-wqa7", "summary": "OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43530", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21543", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.2153", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21557", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21358", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43530" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/65713", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/65713" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43530", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43530" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/666f48d9b882a8a1415ca53f9567c72499d850c9", "reference_id": "666f48d9b882a8a1415ca53f9567c72499d850c9", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T14:31:04Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/666f48d9b882a8a1415ca53f9567c72499d850c9" }, { "reference_url": "https://github.com/advisories/GHSA-2cq5-mf3v-mx44", "reference_id": "GHSA-2cq5-mf3v-mx44", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2cq5-mf3v-mx44" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44", "reference_id": "GHSA-2cq5-mf3v-mx44", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T14:31:04Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-weakened-exec-approval-binding-via-busybox-and-toybox-applet-execution", "reference_id": "openclaw-weakened-exec-approval-binding-via-busybox-and-toybox-applet-execution", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T14:31:04Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-weakened-exec-approval-binding-via-busybox-and-toybox-applet-execution" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373522?format=api", "purl": "pkg:npm/openclaw@2026.4.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12" } ], "aliases": [ "CVE-2026-43530", "GHSA-2cq5-mf3v-mx44" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1kns-bfm7-wqa7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81137?format=api", "vulnerability_id": "VCID-1sxg-r1bm-mygk", "summary": "OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41408", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16421", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16403", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16433", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16278", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41408" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41408", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41408" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/2194587d70d2aef863508b945319c5a7c88b12ce", "reference_id": "2194587d70d2aef863508b945319c5a7c88b12ce", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:35:12Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/2194587d70d2aef863508b945319c5a7c88b12ce" }, { "reference_url": "https://github.com/advisories/GHSA-4g5x-2jfc-xm98", "reference_id": "GHSA-4g5x-2jfc-xm98", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4g5x-2jfc-xm98" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4g5x-2jfc-xm98", "reference_id": "GHSA-4g5x-2jfc-xm98", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:35:12Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4g5x-2jfc-xm98" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-disk-exhaustion-via-media-download-bypass", "reference_id": "openclaw-disk-exhaustion-via-media-download-bypass", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:35:12Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-disk-exhaustion-via-media-download-bypass" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41408", "GHSA-4g5x-2jfc-xm98" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1sxg-r1bm-mygk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81051?format=api", "vulnerability_id": "VCID-1wqp-rrgy-4ffe", "summary": "OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41356", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10467", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10444", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1047", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10415", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41356" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41356", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41356" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d", "reference_id": "91f7a6b0fd67b703897e6e307762d471ca09333d", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:47:22Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d" }, { "reference_url": "https://github.com/advisories/GHSA-rfqg-qgf8-xr9x", "reference_id": "GHSA-rfqg-qgf8-xr9x", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rfqg-qgf8-xr9x" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x", "reference_id": "GHSA-rfqg-qgf8-xr9x", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:47:22Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate", "reference_id": "openclaw-incomplete-websocket-session-termination-in-device-token-rotate", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:47:22Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41356", "GHSA-rfqg-qgf8-xr9x" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "4.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1wqp-rrgy-4ffe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71796?format=api", "vulnerability_id": "VCID-213t-kf4c-qfct", "summary": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35663", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16007", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16125", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16159", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16149", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35663" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35663", "reference_id": "CVE-2026-35663", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35663" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d3d8e316bd819d3c7e34253aeb7eccb2510f5f48", "reference_id": "d3d8e316bd819d3c7e34253aeb7eccb2510f5f48", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:55Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d3d8e316bd819d3c7e34253aeb7eccb2510f5f48" }, { "reference_url": "https://github.com/advisories/GHSA-9hjh-fr4f-gxc4", "reference_id": "GHSA-9hjh-fr4f-gxc4", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9hjh-fr4f-gxc4" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9hjh-fr4f-gxc4", "reference_id": "GHSA-9hjh-fr4f-gxc4", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:55Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9hjh-fr4f-gxc4" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-backend-reconnect-scope-self-claim", "reference_id": "openclaw-privilege-escalation-via-backend-reconnect-scope-self-claim", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:55Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-backend-reconnect-scope-self-claim" } ], "fixed_packages": [], "aliases": [ "CVE-2026-35663", "GHSA-9hjh-fr4f-gxc4" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-213t-kf4c-qfct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65486?format=api", "vulnerability_id": "VCID-24x5-nkt2-wbg7", "summary": "OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43571", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17561", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17551", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17579", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17398", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43571" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43571", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43571" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/1fede43b948df40ca8674511d4bd08d39f6c5837", "reference_id": "1fede43b948df40ca8674511d4bd08d39f6c5837", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T11:54:14Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/1fede43b948df40ca8674511d4bd08d39f6c5837" }, { "reference_url": "https://github.com/advisories/GHSA-82qx-6vj7-p8m2", "reference_id": "GHSA-82qx-6vj7-p8m2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-82qx-6vj7-p8m2" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-82qx-6vj7-p8m2", "reference_id": "GHSA-82qx-6vj7-p8m2", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T11:54:14Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-82qx-6vj7-p8m2" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-plugin-shadow-resolution-in-channel-setup", "reference_id": "openclaw-untrusted-workspace-plugin-shadow-resolution-in-channel-setup", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T11:54:14Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-plugin-shadow-resolution-in-channel-setup" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "CVE-2026-43571", "GHSA-82qx-6vj7-p8m2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-24x5-nkt2-wbg7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359839?format=api", "vulnerability_id": "VCID-27ud-w29j-cbeq", "summary": "OpenClaw: Nostr profile mutation routes allowed operator.write config persistence\n## Summary\n\nNostr profile mutation routes allowed operator.write config persistence.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nNostr plugin HTTP profile routes could persist profile config through a path that did not require admin authority.\n\n## Technical Details\n\nThe fix requires `operator.admin` scope for Nostr profile mutation routes.\n\n## Fix\n\nThe issue was fixed in #63553. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `6517c700de9bb0ee11b41ab625ef3b63d01b6083`\n- PR: #63553\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/63553", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/63553" }, { "reference_url": "https://github.com/advisories/GHSA-f3h5-h452-vp3j", "reference_id": "GHSA-f3h5-h452-vp3j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f3h5-h452-vp3j" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f3h5-h452-vp3j", "reference_id": "GHSA-f3h5-h452-vp3j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f3h5-h452-vp3j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "GHSA-f3h5-h452-vp3j" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-27ud-w29j-cbeq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71903?format=api", "vulnerability_id": "VCID-2amg-4khy-1ufr", "summary": "OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35640", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31523", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31715", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31732", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31714", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35640" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35640", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35640" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53", "reference_id": "5e8cb22176e9235e224be0bc530699261eb60e53", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:25:51Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53" }, { "reference_url": "https://github.com/advisories/GHSA-3h52-cx59-c456", "reference_id": "GHSA-3h52-cx59-c456", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3h52-cx59-c456" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456", "reference_id": "GHSA-3h52-cx59-c456", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:25:51Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing", "reference_id": "openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:25:51Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-35640", "GHSA-3h52-cx59-c456" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2amg-4khy-1ufr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359942?format=api", "vulnerability_id": "VCID-2c8q-g4uw-mufb", "summary": "OpenClaw: Agentic Consent Bypass — LLM Agent Can Silently Disable Exec Approval via `config.patch`\n## Summary\nAgentic Consent Bypass: LLM Agent Can Silently Disable Exec Approval via `config.patch`\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: high\n- Assessment: Maintainers accepted this issue, fixed it in 76411b2afc4ae721e36c12e0ea24fd23e2fed61e on 2026-03-27, and that fix shipped in v2026.3.28, so normalize it as a fixed released draft rather than a close-by-trust-model call.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.24`\n- Patched versions: `>= 2026.3.28`\n- First stable tag containing the fix: `v2026.3.28`\n\n## Fix Commit(s)\n- `76411b2afc4ae721e36c12e0ea24fd23e2fed61e` — 2026-03-27T09:42:15Z\n\nOpenClaw thanks @YLChen-007 for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-v3qc-wrwx-j3pw", "reference_id": "GHSA-v3qc-wrwx-j3pw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v3qc-wrwx-j3pw" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pw", "reference_id": "GHSA-v3qc-wrwx-j3pw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-v3qc-wrwx-j3pw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2c8q-g4uw-mufb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81032?format=api", "vulnerability_id": "VCID-2d5p-gd51-3bfc", "summary": "OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts to circumvent intended rate-limiting protections on Tailscale-capable paths.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41913", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23603", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23592", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23615", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23408", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41913" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41913", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41913" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:46:26Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-25wv-8phj-8p7r", "reference_id": "GHSA-25wv-8phj-8p7r", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-25wv-8phj-8p7r" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-25wv-8phj-8p7r", "reference_id": "GHSA-25wv-8phj-8p7r", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:46:26Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-25wv-8phj-8p7r" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-rate-limit-bypass-via-concurrent-async-authentication-attempts", "reference_id": "openclaw-rate-limit-bypass-via-concurrent-async-authentication-attempts", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:46:26Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-rate-limit-bypass-via-concurrent-async-authentication-attempts" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373408?format=api", "purl": "pkg:npm/openclaw@2026.4.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/373918?format=api", "purl": "pkg:npm/openclaw@2026.4.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-bpy3-pdqr-uube" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.5" } ], "aliases": [ "CVE-2026-41913", "GHSA-25wv-8phj-8p7r" ], "risk_score": 2.9, "exploitability": "0.5", "weighted_severity": "5.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2d5p-gd51-3bfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78097?format=api", "vulnerability_id": "VCID-2d6p-8jxd-1yc4", "summary": "OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33581", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19908", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.199", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19924", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19734", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33581" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33581", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33581" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/1d7cb6fc03552bbba00e7cffb3aa9741f5556416", "reference_id": "1d7cb6fc03552bbba00e7cffb3aa9741f5556416", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:29:20Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/1d7cb6fc03552bbba00e7cffb3aa9741f5556416" }, { "reference_url": "https://github.com/advisories/GHSA-v8wv-jg3q-qwpq", "reference_id": "GHSA-v8wv-jg3q-qwpq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v8wv-jg3q-qwpq" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq", "reference_id": "GHSA-v8wv-jg3q-qwpq", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:29:20Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-mediaurl-and-fileurl-parameters", "reference_id": "openclaw-arbitrary-file-read-via-mediaurl-and-fileurl-parameters", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:29:20Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-mediaurl-and-fileurl-parameters" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "CVE-2026-33581", "GHSA-v8wv-jg3q-qwpq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2d6p-8jxd-1yc4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71638?format=api", "vulnerability_id": "VCID-2keu-vgjt-t7ba", "summary": "OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message transmission.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35647", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.124", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.1248", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.125", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12491", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35647" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/2383daf5c4a4e08d9553e0e949552ad755ef9ec2", "reference_id": "2383daf5c4a4e08d9553e0e949552ad755ef9ec2", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:21:05Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/2383daf5c4a4e08d9553e0e949552ad755ef9ec2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35647", "reference_id": "CVE-2026-35647", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35647" }, { "reference_url": "https://github.com/advisories/GHSA-9wqx-g2cw-vc7r", "reference_id": "GHSA-9wqx-g2cw-vc7r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9wqx-g2cw-vc7r" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9wqx-g2cw-vc7r", "reference_id": "GHSA-9wqx-g2cw-vc7r", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:21:05Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9wqx-g2cw-vc7r" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-direct-message-policy-bypass-via-verification-notices", "reference_id": "openclaw-direct-message-policy-bypass-via-verification-notices", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:21:05Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-direct-message-policy-bypass-via-verification-notices" } ], "fixed_packages": [], "aliases": [ "CVE-2026-35647", "GHSA-9wqx-g2cw-vc7r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2keu-vgjt-t7ba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359862?format=api", "vulnerability_id": "VCID-2p3a-gmxy-37gx", "summary": "OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials\n## Summary\n\nSandbox noVNC helper route exposed interactive browser session credentials.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `>= 2026.2.21 < 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nThe sandbox noVNC helper route could be reached without the intended bridge authentication, exposing an interactive browser session surface.\n\n## Technical Details\n\nThe fix gates the sandbox noVNC helper route behind bridge authentication.\n\n## Fix\n\nThe issue was fixed in #63882. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `8dfbf3268bd224b7377d1ecca77a445100746085`\n- PR: #63882\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/63882", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/63882" }, { "reference_url": "https://github.com/advisories/GHSA-92jp-89mq-4374", "reference_id": "GHSA-92jp-89mq-4374", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-92jp-89mq-4374" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-92jp-89mq-4374", "reference_id": "GHSA-92jp-89mq-4374", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-92jp-89mq-4374" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "GHSA-92jp-89mq-4374" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2p3a-gmxy-37gx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359256?format=api", "vulnerability_id": "VCID-2t7c-q448-a7bp", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41399", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27571", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27772", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27797", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27787", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41399" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/cb5f7e201f3f86ad70e199ef850e636b4cc457ba", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/cb5f7e201f3f86ad70e199ef850e636b4cc457ba" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f44p-c7w9-7xr7", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f44p-c7w9-7xr7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41399", "reference_id": "CVE-2026-41399", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41399" }, { "reference_url": "https://github.com/advisories/GHSA-f44p-c7w9-7xr7", "reference_id": "GHSA-f44p-c7w9-7xr7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f44p-c7w9-7xr7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41399", "GHSA-f44p-c7w9-7xr7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2t7c-q448-a7bp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80646?format=api", "vulnerability_id": "VCID-2tsv-9m6k-1qdn", "summary": "OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41341", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05146", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05163", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05155", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41341" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41341", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41341" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/8c83128fc38d5a3642b8ccbea58550755fdbbbaf", "reference_id": "8c83128fc38d5a3642b8ccbea58550755fdbbbaf", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:34:01Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/8c83128fc38d5a3642b8ccbea58550755fdbbbaf" }, { "reference_url": "https://github.com/advisories/GHSA-6336-qqw9-v6x6", "reference_id": "GHSA-6336-qqw9-v6x6", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6336-qqw9-v6x6" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6336-qqw9-v6x6", "reference_id": "GHSA-6336-qqw9-v6x6", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:34:01Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6336-qqw9-v6x6" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-component-interaction-misclassification-in-discord-extension", "reference_id": "openclaw-component-interaction-misclassification-in-discord-extension", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:34:01Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-component-interaction-misclassification-in-discord-extension" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41341", "GHSA-6336-qqw9-v6x6" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "4.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2tsv-9m6k-1qdn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80815?format=api", "vulnerability_id": "VCID-3f2g-c9me-nbdm", "summary": "OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41329", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16149", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16125", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16159", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16007", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41329" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/a30214a624946fc5c85c9558a27c1580172374fd", "reference_id": "a30214a624946fc5c85c9558a27c1580172374fd", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "9.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T19:38:10Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/a30214a624946fc5c85c9558a27c1580172374fd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41329", "reference_id": "CVE-2026-41329", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41329" }, { "reference_url": "https://github.com/advisories/GHSA-g5cg-8x5w-7jpm", "reference_id": "GHSA-g5cg-8x5w-7jpm", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g5cg-8x5w-7jpm" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm", "reference_id": "GHSA-g5cg-8x5w-7jpm", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "9.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T19:38:10Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-via-heartbeat-context-inheritance-and-senderisowner-escalation", "reference_id": "openclaw-sandbox-bypass-via-heartbeat-context-inheritance-and-senderisowner-escalation", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T19:38:10Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-via-heartbeat-context-inheritance-and-senderisowner-escalation" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41329", "GHSA-g5cg-8x5w-7jpm" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3f2g-c9me-nbdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80725?format=api", "vulnerability_id": "VCID-3f8g-rfq5-fbeb", "summary": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41359", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.093", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09309", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09257", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41359" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41359", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41359" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/b7d70ade3b9900dbe97bd73be9c02e924ff3c986", "reference_id": "b7d70ade3b9900dbe97bd73be9c02e924ff3c986", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:37:35Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/b7d70ade3b9900dbe97bd73be9c02e924ff3c986" }, { "reference_url": "https://github.com/advisories/GHSA-767m-xrhc-fxm7", "reference_id": "GHSA-767m-xrhc-fxm7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-767m-xrhc-fxm7" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-767m-xrhc-fxm7", "reference_id": "GHSA-767m-xrhc-fxm7", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:37:35Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-767m-xrhc-fxm7" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-operator-write-to-admin-class-telegram-config-and-cron-persistence", "reference_id": "openclaw-privilege-escalation-via-operator-write-to-admin-class-telegram-config-and-cron-persistence", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:37:35Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-operator-write-to-admin-class-telegram-config-and-cron-persistence" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41359", "GHSA-767m-xrhc-fxm7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3f8g-rfq5-fbeb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359920?format=api", "vulnerability_id": "VCID-3qf3-mq53-fbgp", "summary": "OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration\n## Summary\nMedia Local Roots Self-Whitelisting in `appendLocalMediaParentRoots` Allows Model-Initiated Arbitrary Host File Read and Credential Exfiltration\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: v2026.3.28 still self-whitelists media parent dirs in src/media/local-roots.ts, but only after config already permits tool-fs root expansion, so the impact is narrower than the default-critical framing.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `1ca4261d7e055d0be141ed79ebb1365d0fbc7364` — 2026-03-30T17:15:03+01:00\n\nOpenClaw thanks @tdjackey for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-57gh-m6rq-54cf", "reference_id": "GHSA-57gh-m6rq-54cf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-57gh-m6rq-54cf" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-57gh-m6rq-54cf", "reference_id": "GHSA-57gh-m6rq-54cf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-57gh-m6rq-54cf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "GHSA-57gh-m6rq-54cf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3qf3-mq53-fbgp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80759?format=api", "vulnerability_id": "VCID-3swm-pxgf-sqbx", "summary": "OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. Attackers can obtain user approval for one wrapped command to persist trust for wrapper binaries that execute different underlying programs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41390", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07931", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07957", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07962", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07966", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41390" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/83da3cfe31f016841e1deedda1a604696f4c488d", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/83da3cfe31f016841e1deedda1a604696f4c488d" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41390", "reference_id": "CVE-2026-41390", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41390" }, { "reference_url": "https://github.com/advisories/GHSA-6pfc-6m7w-m8fx", "reference_id": "GHSA-6pfc-6m7w-m8fx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6pfc-6m7w-m8fx" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6pfc-6m7w-m8fx", "reference_id": "GHSA-6pfc-6m7w-m8fx", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T19:25:11Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6pfc-6m7w-m8fx" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-unregistered-usr-bin-script-wrapper", "reference_id": "openclaw-exec-allowlist-bypass-via-unregistered-usr-bin-script-wrapper", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T19:25:11Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-unregistered-usr-bin-script-wrapper" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41390", "GHSA-6pfc-6m7w-m8fx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3swm-pxgf-sqbx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359246?format=api", "vulnerability_id": "VCID-416m-tsuc-b3fg", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41348", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10415", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10467", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1047", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10444", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41348" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/8fdb19676ab44cf85d47ee13c578195f2e527591", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/8fdb19676ab44cf85d47ee13c578195f2e527591" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rvvf-6vh3-9j43", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rvvf-6vh3-9j43" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41348", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41348" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-group-dm-channel-allowlist-bypass-via-discord-slash-commands", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vulncheck.com/advisories/openclaw-group-dm-channel-allowlist-bypass-via-discord-slash-commands" }, { "reference_url": "https://github.com/advisories/GHSA-rvvf-6vh3-9j43", "reference_id": "GHSA-rvvf-6vh3-9j43", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rvvf-6vh3-9j43" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41348", "GHSA-rvvf-6vh3-9j43" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "4.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-416m-tsuc-b3fg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359247?format=api", "vulnerability_id": "VCID-45as-yk5j-dug2", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41354", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17707", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17867", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17883", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17858", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41354" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41354", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41354" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys" }, { "reference_url": "https://github.com/advisories/GHSA-rxmx-g7hr-8mx4", "reference_id": "GHSA-rxmx-g7hr-8mx4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rxmx-g7hr-8mx4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-41354", "GHSA-rxmx-g7hr-8mx4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-45as-yk5j-dug2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80952?format=api", "vulnerability_id": "VCID-47ty-n3m4-nbbe", "summary": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41344", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.24831", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.25046", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00086", "scoring_system": "epss", "scoring_elements": "0.2503", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41344" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/c6031235288a8d3bdf2243bd974340d8c8045bc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/c6031235288a8d3bdf2243bd974340d8c8045bc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41344", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41344" }, { "reference_url": "https://github.com/advisories/GHSA-5h2w-qmfp-ggp6", "reference_id": "GHSA-5h2w-qmfp-ggp6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5h2w-qmfp-ggp6" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2w-qmfp-ggp6", "reference_id": "GHSA-5h2w-qmfp-ggp6", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:47:02Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2w-qmfp-ggp6" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-verbose-parameter", "reference_id": "openclaw-privilege-escalation-via-chat-send-verbose-parameter", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:47:02Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-verbose-parameter" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41344", "GHSA-5h2w-qmfp-ggp6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-47ty-n3m4-nbbe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81179?format=api", "vulnerability_id": "VCID-4kcu-akxv-hker", "summary": "OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify system versions and agent configurations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41335", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12872", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12957", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12978", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12968", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41335" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41335", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41335" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/c5c10adc022f42eb75ebb3bf364dd607738683b3", "reference_id": "c5c10adc022f42eb75ebb3bf364dd607738683b3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:32:59Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/c5c10adc022f42eb75ebb3bf364dd607738683b3" }, { "reference_url": "https://github.com/advisories/GHSA-hr8g-2q7x-3f4w", "reference_id": "GHSA-hr8g-2q7x-3f4w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hr8g-2q7x-3f4w" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hr8g-2q7x-3f4w", "reference_id": "GHSA-hr8g-2q7x-3f4w", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:32:59Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hr8g-2q7x-3f4w" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-control-ui-bootstrap-json", "reference_id": "openclaw-information-disclosure-via-control-ui-bootstrap-json", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:32:59Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-control-ui-bootstrap-json" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41335", "GHSA-hr8g-2q7x-3f4w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4kcu-akxv-hker" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360100?format=api", "vulnerability_id": "VCID-4n9g-ymdq-6fhd", "summary": "Duplicate Advisory: OpenClaw's message tool media parameter bypasses tool policy filesystem isolation\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-v8wv-jg3q-qwpq. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33581", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33581" }, { "reference_url": "https://github.com/advisories/GHSA-3gr8-2752-h46q", "reference_id": "GHSA-3gr8-2752-h46q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3gr8-2752-h46q" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq", "reference_id": "GHSA-v8wv-jg3q-qwpq", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "GHSA-3gr8-2752-h46q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4n9g-ymdq-6fhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69834?format=api", "vulnerability_id": "VCID-4qqv-57ws-4yb3", "summary": "OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45002", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10694", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11756", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.1173", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11751", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45002" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45002", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45002" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/5275d008ed33203dba3f98e969ad683a65c416c3", "reference_id": "5275d008ed33203dba3f98e969ad683a65c416c3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:46:08Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/5275d008ed33203dba3f98e969ad683a65c416c3" }, { "reference_url": "https://github.com/advisories/GHSA-2xcp-x87w-q377", "reference_id": "GHSA-2xcp-x87w-q377", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2xcp-x87w-q377" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377", "reference_id": "GHSA-2xcp-x87w-q377", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:46:08Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-hook-session-key-bypass-via-template-mapping", "reference_id": "openclaw-hook-session-key-bypass-via-template-mapping", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:46:08Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-hook-session-key-bypass-via-template-mapping" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373308?format=api", "purl": "pkg:npm/openclaw@2026.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20" } ], "aliases": [ "CVE-2026-45002", "GHSA-2xcp-x87w-q377" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4qqv-57ws-4yb3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71557?format=api", "vulnerability_id": "VCID-4srt-x1xb-xqa8", "summary": "OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce operator.admin scope. Attackers with operator.write scope can invoke /send on|off|inherit to persistently mutate the current session's sendPolicy, and execute /allowlist add commands to modify config-backed allowFrom entries and pairing-store allowlist entries without proper admin authorization.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35620", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20635", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20457", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20634", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20656", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35620" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35620", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35620" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/555b2578a8cc6e1b93f717496935ead97bfbed8b", "reference_id": "555b2578a8cc6e1b93f717496935ead97bfbed8b", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/555b2578a8cc6e1b93f717496935ead97bfbed8b" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2", "reference_id": "ccfeecb6887cd97937e33a71877ad512741e82b2", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/ea018a68ccb92dbc735bc1df9880d5c95c63ca35", "reference_id": "ea018a68ccb92dbc735bc1df9880d5c95c63ca35", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/ea018a68ccb92dbc735bc1df9880d5c95c63ca35" }, { "reference_url": "https://github.com/advisories/GHSA-39mp-545q-w789", "reference_id": "GHSA-39mp-545q-w789", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-39mp-545q-w789" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789", "reference_id": "GHSA-39mp-545q-w789", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83", "reference_id": "GHSA-vqvg-86cc-cg83", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-missing-authorization-in-send-and-allowlist-chat-commands", "reference_id": "openclaw-missing-authorization-in-send-and-allowlist-chat-commands", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-missing-authorization-in-send-and-allowlist-chat-commands" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "CVE-2026-35620", "GHSA-39mp-545q-w789" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4srt-x1xb-xqa8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359251?format=api", "vulnerability_id": "VCID-4umw-rnj5-efad", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41374", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.23943", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.24142", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.24151", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.2413", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41374" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/ee52f64226a03efadfdf1e3b759e13424a3d4e41", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/ee52f64226a03efadfdf1e3b759e13424a3d4e41" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hhff-fj5f-qg48", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hhff-fj5f-qg48" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41374", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41374" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-discord-audio-preflight-before-member-authorization", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-discord-audio-preflight-before-member-authorization" }, { "reference_url": "https://github.com/advisories/GHSA-hhff-fj5f-qg48", "reference_id": "GHSA-hhff-fj5f-qg48", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hhff-fj5f-qg48" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41374", "GHSA-hhff-fj5f-qg48" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4umw-rnj5-efad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80738?format=api", "vulnerability_id": "VCID-4yrw-qqvt-jkhn", "summary": "OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-start WebSocket frames to cause resource consumption and denial of service.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41400", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37265", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37453", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37467", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37443", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41400" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41400", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41400" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/9abcfdadf591bf266d85fbdfe14ae833e557a110", "reference_id": "9abcfdadf591bf266d85fbdfe14ae833e557a110", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:52:26Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/9abcfdadf591bf266d85fbdfe14ae833e557a110" }, { "reference_url": "https://github.com/advisories/GHSA-2w79-r9g8-wmcr", "reference_id": "GHSA-2w79-r9g8-wmcr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2w79-r9g8-wmcr" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2w79-r9g8-wmcr", "reference_id": "GHSA-2w79-r9g8-wmcr", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:52:26Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2w79-r9g8-wmcr" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-oversized-websocket-frames-in-voice-call", "reference_id": "openclaw-resource-consumption-via-oversized-websocket-frames-in-voice-call", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:52:26Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-oversized-websocket-frames-in-voice-call" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41400", "GHSA-2w79-r9g8-wmcr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4yrw-qqvt-jkhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71583?format=api", "vulnerability_id": "VCID-54js-czwp-jkce", "summary": "OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can leverage git dependencies to trigger execution of arbitrary programs specified in the attacker-controlled .npmrc configuration file.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35641", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01187", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01194", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.0119", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01185", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35641" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35641", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35641" }, { "reference_url": "https://github.com/advisories/GHSA-m3mh-3mpg-37hw", "reference_id": "GHSA-m3mh-3mpg-37hw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m3mh-3mpg-37hw" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw", "reference_id": "GHSA-m3mh-3mpg-37hw", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T14:30:45Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation", "reference_id": "openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T14:30:45Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "CVE-2026-35641", "GHSA-m3mh-3mpg-37hw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-54js-czwp-jkce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81138?format=api", "vulnerability_id": "VCID-563k-49s5-5fbp", "summary": "OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41296", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11027", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10991", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11022", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10965", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41296" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41296", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41296" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/121870a08583033ed6a0ed73d9ffea32991252bb", "reference_id": "121870a08583033ed6a0ed73d9ffea32991252bb", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T16:02:53Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/121870a08583033ed6a0ed73d9ffea32991252bb" }, { "reference_url": "https://github.com/advisories/GHSA-9p3r-hh9g-5cmg", "reference_id": "GHSA-9p3r-hh9g-5cmg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9p3r-hh9g-5cmg" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9p3r-hh9g-5cmg", "reference_id": "GHSA-9p3r-hh9g-5cmg", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T16:02:53Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9p3r-hh9g-5cmg" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-toctou-race-in-remote-fs-bridge-readfile", "reference_id": "openclaw-sandbox-escape-via-toctou-race-in-remote-fs-bridge-readfile", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T16:02:53Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-toctou-race-in-remote-fs-bridge-readfile" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41296", "GHSA-9p3r-hh9g-5cmg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-563k-49s5-5fbp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71863?format=api", "vulnerability_id": "VCID-59an-tnp2-qfgg", "summary": "OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35628", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00071", "scoring_system": "epss", "scoring_elements": "0.22123", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00071", "scoring_system": "epss", "scoring_elements": "0.22109", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00071", "scoring_system": "epss", "scoring_elements": "0.22134", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00071", "scoring_system": "epss", "scoring_elements": "0.21935", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35628" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35628", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35628" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/c2c136ae9517ddd0789d742a0fdf4c10e8c729a7", "reference_id": "c2c136ae9517ddd0789d742a0fdf4c10e8c729a7", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:14:25Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/c2c136ae9517ddd0789d742a0fdf4c10e8c729a7" }, { "reference_url": "https://github.com/advisories/GHSA-vcx4-4qxg-mfp4", "reference_id": "GHSA-vcx4-4qxg-mfp4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vcx4-4qxg-mfp4" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vcx4-4qxg-mfp4", "reference_id": "GHSA-vcx4-4qxg-mfp4", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:14:25Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vcx4-4qxg-mfp4" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-telegram-webhook-rate-limiting", "reference_id": "openclaw-brute-force-attack-via-missing-telegram-webhook-rate-limiting", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:14:25Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-telegram-webhook-rate-limiting" } ], "fixed_packages": [], "aliases": [ "CVE-2026-35628", "GHSA-vcx4-4qxg-mfp4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-59an-tnp2-qfgg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/84008?format=api", "vulnerability_id": "VCID-5c35-mfrw-r3fg", "summary": "OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup codes to redirect clients to malicious endpoints, disclosing plaintext gateway credentials.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40045", "reference_id": "", "reference_type": "", "scores": [ { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00426", "published_at": "2026-06-12T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00435", "published_at": "2026-06-14T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00425", "published_at": "2026-06-13T12:55:00Z" }, { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00427", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40045" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40045", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40045" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/a941a4fef9bc43b2973c92d0dcff5b8a426210c5", "reference_id": "a941a4fef9bc43b2973c92d0dcff5b8a426210c5", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:37:33Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/a941a4fef9bc43b2973c92d0dcff5b8a426210c5" }, { "reference_url": "https://github.com/advisories/GHSA-83f3-hh45-vfw9", "reference_id": "GHSA-83f3-hh45-vfw9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-83f3-hh45-vfw9" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-83f3-hh45-vfw9", "reference_id": "GHSA-83f3-hh45-vfw9", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:37:33Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-83f3-hh45-vfw9" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-cleartext-credential-transmission-via-unencrypted-websocket-gateway-endpoints", "reference_id": "openclaw-cleartext-credential-transmission-via-unencrypted-websocket-gateway-endpoints", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:37:33Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-cleartext-credential-transmission-via-unencrypted-websocket-gateway-endpoints" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-40045", "GHSA-83f3-hh45-vfw9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5c35-mfrw-r3fg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81180?format=api", "vulnerability_id": "VCID-5hvu-e2e8-y7h6", "summary": "OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted agent.request dispatch to achieve remote code execution on the gateway.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41378", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.52489", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.52484", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.52501", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00285", "scoring_system": "epss", "scoring_elements": "0.5236", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41378" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41378", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41378" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/a77928b1087e90f2a8903f8e5aca6dec9237ac62", "reference_id": "a77928b1087e90f2a8903f8e5aca6dec9237ac62", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:53:49Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/a77928b1087e90f2a8903f8e5aca6dec9237ac62" }, { "reference_url": "https://github.com/advisories/GHSA-gjm7-hw8f-73rq", "reference_id": "GHSA-gjm7-hw8f-73rq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gjm7-hw8f-73rq" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gjm7-hw8f-73rq", "reference_id": "GHSA-gjm7-hw8f-73rq", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:53:49Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gjm7-hw8f-73rq" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-to-remote-code-execution-via-unrestricted-node-event-agent-dispatch", "reference_id": "openclaw-privilege-escalation-to-remote-code-execution-via-unrestricted-node-event-agent-dispatch", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:53:49Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-to-remote-code-execution-via-unrestricted-node-event-agent-dispatch" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41378", "GHSA-gjm7-hw8f-73rq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5hvu-e2e8-y7h6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78132?format=api", "vulnerability_id": "VCID-5jgs-gk2n-8fdk", "summary": "OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33576", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05034", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05009", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0502", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0503", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33576" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33576", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33576" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/68ceaf7a5f64a23e78b95eff055e4b497218312a", "reference_id": "68ceaf7a5f64a23e78b95eff055e4b497218312a", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:11:13Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/68ceaf7a5f64a23e78b95eff055e4b497218312a" }, { "reference_url": "https://github.com/advisories/GHSA-v2v2-f783-358j", "reference_id": "GHSA-v2v2-f783-358j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v2v2-f783-358j" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358j", "reference_id": "GHSA-v2v2-f783-358j", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:11:13Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358j" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-unauthorized-media-download-via-zalo-channel", "reference_id": "openclaw-unauthorized-media-download-via-zalo-channel", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:11:13Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-unauthorized-media-download-via-zalo-channel" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-33576", "GHSA-v2v2-f783-358j" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5jgs-gk2n-8fdk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71536?format=api", "vulnerability_id": "VCID-5k9d-n6kg-g3bn", "summary": "OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where the !stop chat command uses an unpatched killProcessTree function from shell-utils.ts that sends SIGKILL immediately without graceful SIGTERM shutdown. Attackers can trigger process termination via the !stop command, causing data corruption, resource leaks, and skipped security-sensitive cleanup operations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35667", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04194", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04197", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04207", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35667" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35667", "reference_id": "CVE-2026-35667", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35667" }, { "reference_url": "https://github.com/advisories/GHSA-3298-56p6-rpw2", "reference_id": "GHSA-3298-56p6-rpw2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3298-56p6-rpw2" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3298-56p6-rpw2", "reference_id": "GHSA-3298-56p6-rpw2", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:14:31Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3298-56p6-rpw2" }, { "reference_url": "https://github.com/advisories/GHSA-jfv4-h8mc-jcp8", "reference_id": "GHSA-jfv4-h8mc-jcp8", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jfv4-h8mc-jcp8" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-improper-process-termination-via-unpatched-killprocesstree-in-shell-utils-ts", "reference_id": "openclaw-improper-process-termination-via-unpatched-killprocesstree-in-shell-utils-ts", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:14:31Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-improper-process-termination-via-unpatched-killprocesstree-in-shell-utils-ts" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "CVE-2026-35667", "GHSA-3298-56p6-rpw2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5k9d-n6kg-g3bn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80787?format=api", "vulnerability_id": "VCID-5msy-va7d-jkhz", "summary": "OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files. Attackers can exploit this by uploading tar archives containing symlinks to escape the sandbox and overwrite files on the remote host.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41364", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.41124", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.41135", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.41146", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.40958", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41364" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41364", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41364" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/3d5af14984ac1976c747a8e11581d697bd0829dc", "reference_id": "3d5af14984ac1976c747a8e11581d697bd0829dc", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:05:32Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/3d5af14984ac1976c747a8e11581d697bd0829dc" }, { "reference_url": "https://github.com/advisories/GHSA-fv94-qvg8-xqpw", "reference_id": "GHSA-fv94-qvg8-xqpw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fv94-qvg8-xqpw" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fv94-qvg8-xqpw", "reference_id": "GHSA-fv94-qvg8-xqpw", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:05:32Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fv94-qvg8-xqpw" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-symlink-following-in-ssh-sandbox-tar-upload", "reference_id": "openclaw-arbitrary-file-write-via-symlink-following-in-ssh-sandbox-tar-upload", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:05:32Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-symlink-following-in-ssh-sandbox-tar-upload" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41364", "GHSA-fv94-qvg8-xqpw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5msy-va7d-jkhz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359934?format=api", "vulnerability_id": "VCID-5szz-xqng-fffv", "summary": "OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts\n## Summary\nTelegram legacy allowFrom migration fans default-account trust into all named accounts\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 Telegram migration fans legacy default-account allowFrom trust into named accounts, which is an in-scope auth-boundary bug and low fits.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `d8c68c8d4265ea6fa5e8c5e056534c351bddef37` — 2026-03-31T12:51:38+01:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/advisories/GHSA-f693-58pc-2gfr", "reference_id": "GHSA-f693-58pc-2gfr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f693-58pc-2gfr" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f693-58pc-2gfr", "reference_id": "GHSA-f693-58pc-2gfr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f693-58pc-2gfr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "GHSA-f693-58pc-2gfr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5szz-xqng-fffv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65525?format=api", "vulnerability_id": "VCID-5uvn-998w-hfds", "summary": "OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43534", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06636", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06606", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06624", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06614", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43534" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/64372", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/64372" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43534", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43534" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/e3a845bde5b54f4f1e742d0a51ba9860f9619b29", "reference_id": "e3a845bde5b54f4f1e742d0a51ba9860f9619b29", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-06T14:12:17Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/e3a845bde5b54f4f1e742d0a51ba9860f9619b29" }, { "reference_url": "https://github.com/advisories/GHSA-7g8c-cfr3-vqqr", "reference_id": "GHSA-7g8c-cfr3-vqqr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7g8c-cfr3-vqqr" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr", "reference_id": "GHSA-7g8c-cfr3-vqqr", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-06T14:12:17Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-unsanitized-external-input-in-agent-hook-events", "reference_id": "openclaw-unsanitized-external-input-in-agent-hook-events", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-06T14:12:17Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-unsanitized-external-input-in-agent-hook-events" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "CVE-2026-43534", "GHSA-7g8c-cfr3-vqqr" ], "risk_score": 4.2, "exploitability": "0.5", "weighted_severity": "8.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5uvn-998w-hfds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359764?format=api", "vulnerability_id": "VCID-5zh4-jn4s-akc9", "summary": "OpenClaw: Paired-device pairing actions were not limited to the caller device\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nA paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling.\n\nThis is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low.\n\n## Fix\n\nPairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests.\n\nFix commit:\n\n- `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-xrq9-jm7v-g9h7", "reference_id": "GHSA-xrq9-jm7v-g9h7", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xrq9-jm7v-g9h7" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7", "reference_id": "GHSA-xrq9-jm7v-g9h7", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373308?format=api", "purl": "pkg:npm/openclaw@2026.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20" } ], "aliases": [ "GHSA-xrq9-jm7v-g9h7" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5zh4-jn4s-akc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/68039?format=api", "vulnerability_id": "VCID-65nh-ys6n-77ag", "summary": "OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44118", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02617", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0261", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0262", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44118" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44118", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44118" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/3cb1a56bfc9579a0f2336f9cfa12a8a744332a19", "reference_id": "3cb1a56bfc9579a0f2336f9cfa12a8a744332a19", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T17:21:33Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/3cb1a56bfc9579a0f2336f9cfa12a8a744332a19" }, { "reference_url": "https://github.com/advisories/GHSA-r6xh-pqhr-v4xh", "reference_id": "GHSA-r6xh-pqhr-v4xh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r6xh-pqhr-v4xh" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r6xh-pqhr-v4xh", "reference_id": "GHSA-r6xh-pqhr-v4xh", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T17:21:33Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r6xh-pqhr-v4xh" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-owner-context-spoofing-via-bearer-token-header", "reference_id": "openclaw-owner-context-spoofing-via-bearer-token-header", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T17:21:33Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-owner-context-spoofing-via-bearer-token-header" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375357?format=api", "purl": "pkg:npm/openclaw@2026.4.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22" } ], "aliases": [ "CVE-2026-44118", "GHSA-r6xh-pqhr-v4xh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-65nh-ys6n-77ag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70630?format=api", "vulnerability_id": "VCID-6ce4-zpfh-pybu", "summary": "OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42431", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11234", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11192", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11226", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11169", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42431" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42431", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42431" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:12:10Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-cmfr-9m2r-xwhq", "reference_id": "GHSA-cmfr-9m2r-xwhq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cmfr-9m2r-xwhq" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cmfr-9m2r-xwhq", "reference_id": "GHSA-cmfr-9m2r-xwhq", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:12:10Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cmfr-9m2r-xwhq" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-persistent-profile-mutation-via-node-invoke-browser-proxy-bypass", "reference_id": "openclaw-persistent-profile-mutation-via-node-invoke-browser-proxy-bypass", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:12:10Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-persistent-profile-mutation-via-node-invoke-browser-proxy-bypass" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42431", "GHSA-cmfr-9m2r-xwhq" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6ce4-zpfh-pybu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359796?format=api", "vulnerability_id": "VCID-6hav-n44a-dkeu", "summary": "OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations\n## Summary\n`session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Real on shipped v2026.3.22: non-sandboxed session_status skipped the shared visibility guard, but this is a same-agent session-policy bypass with unreleased fix, not a broader host-boundary break.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d369a3400dc9b737fbe8daa63f09d909ce7beb8` — 2026-03-30T16:48:12+02:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @tdjackey for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-fwjq-xwfj-gv75", "reference_id": "GHSA-fwjq-xwfj-gv75", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fwjq-xwfj-gv75" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fwjq-xwfj-gv75", "reference_id": "GHSA-fwjq-xwfj-gv75", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fwjq-xwfj-gv75" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "GHSA-fwjq-xwfj-gv75" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6hav-n44a-dkeu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65524?format=api", "vulnerability_id": "VCID-6w88-6bts-sudv", "summary": "OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43585", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00143", "scoring_system": "epss", "scoring_elements": "0.34576", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00143", "scoring_system": "epss", "scoring_elements": "0.34579", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00143", "scoring_system": "epss", "scoring_elements": "0.346", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00143", "scoring_system": "epss", "scoring_elements": "0.34398", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43585" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/66651", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/66651" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43585", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43585" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094", "reference_id": "acd4e0a32f12e1ad85f3130f63b42443ce90f094", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:53:26Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094" }, { "reference_url": "https://github.com/advisories/GHSA-xmxx-7p24-h892", "reference_id": "GHSA-xmxx-7p24-h892", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xmxx-7p24-h892" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892", "reference_id": "GHSA-xmxx-7p24-h892", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:53:26Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-bearer-token-validation-bypass-via-stale-secretref-resolution", "reference_id": "openclaw-bearer-token-validation-bypass-via-stale-secretref-resolution", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:53:26Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-bearer-token-validation-bypass-via-stale-secretref-resolution" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373280?format=api", "purl": "pkg:npm/openclaw@2026.4.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15" } ], "aliases": [ "CVE-2026-43585", "GHSA-xmxx-7p24-h892" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6w88-6bts-sudv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65593?format=api", "vulnerability_id": "VCID-7j27-ndq2-mfht", "summary": "OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43576", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11841", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11865", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11782", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43576" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/60469", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/60469" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43576", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43576" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/bc356cc8c2beaa747c71dd86cceab8f804699665", "reference_id": "bc356cc8c2beaa747c71dd86cceab8f804699665", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:30:18Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/bc356cc8c2beaa747c71dd86cceab8f804699665" }, { "reference_url": "https://github.com/advisories/GHSA-f7fh-qg34-x2xh", "reference_id": "GHSA-f7fh-qg34-x2xh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f7fh-qg34-x2xh" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7fh-qg34-x2xh", "reference_id": "GHSA-f7fh-qg34-x2xh", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:30:18Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f7fh-qg34-x2xh" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-second-hop-ssrf-via-cdp-json-version-websocket-url", "reference_id": "openclaw-second-hop-ssrf-via-cdp-json-version-websocket-url", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:30:18Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-second-hop-ssrf-via-cdp-json-version-websocket-url" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373918?format=api", "purl": "pkg:npm/openclaw@2026.4.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-bpy3-pdqr-uube" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.5" } ], "aliases": [ "CVE-2026-43576", "GHSA-f7fh-qg34-x2xh" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "6.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7j27-ndq2-mfht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81144?format=api", "vulnerability_id": "VCID-7r7v-pvsj-uyaw", "summary": "OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41333", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23408", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23592", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23615", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23603", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41333" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9", "reference_id": "af0c0862f22ca4492406a3103d05e3628f94cbe9", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:35:25Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9" }, { "reference_url": "https://github.com/advisories/GHSA-6p8r-6m93-557f", "reference_id": "GHSA-6p8r-6m93-557f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6p8r-6m93-557f" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f", "reference_id": "GHSA-6p8r-6m93-557f", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:35:25Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken", "reference_id": "openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:35:25Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41333", "GHSA-6p8r-6m93-557f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7r7v-pvsj-uyaw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80619?format=api", "vulnerability_id": "VCID-7rcc-8g5p-3ydv", "summary": "OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during upload_image operations to read arbitrary files outside configured localRoots boundaries.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41363", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18416", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18576", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18598", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.1858", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41363" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/764394c78b6c22c5b53c3cd132d27ff36340bf45", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/764394c78b6c22c5b53c3cd132d27ff36340bf45" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41363", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41363" }, { "reference_url": "https://github.com/advisories/GHSA-qf48-qfv4-jjm9", "reference_id": "GHSA-qf48-qfv4-jjm9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qf48-qfv4-jjm9" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qf48-qfv4-jjm9", "reference_id": "GHSA-qf48-qfv4-jjm9", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:01:12Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qf48-qfv4-jjm9" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-feishu-upload-image-parameter", "reference_id": "openclaw-arbitrary-file-read-via-feishu-upload-image-parameter", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:01:12Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-feishu-upload-image-parameter" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41363", "GHSA-qf48-qfv4-jjm9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7rcc-8g5p-3ydv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74779?format=api", "vulnerability_id": "VCID-7v88-gh66-ybgd", "summary": "OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34503", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0271", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02709", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02698", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02705", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34503" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34503", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34503" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863", "reference_id": "7a801cc451e9e667b705eeccff651923a1b8c863", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T15:12:24Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863" }, { "reference_url": "https://github.com/advisories/GHSA-2pr2-hcv6-7gwv", "reference_id": "GHSA-2pr2-hcv6-7gwv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2pr2-hcv6-7gwv" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv", "reference_id": "GHSA-2pr2-hcv6-7gwv", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T15:12:24Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation", "reference_id": "openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T15:12:24Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-34503", "GHSA-2pr2-hcv6-7gwv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7v88-gh66-ybgd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360163?format=api", "vulnerability_id": "VCID-812y-rb9q-m7eu", "summary": "OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding\n## Summary\n\nGateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding.\n\n## Details\n\nThe HTTP route previously treated any bearer-authenticated request as admin-eligible and could call without binding the action to requester ownership or caller-granted operator scopes. The flaw removes the bearer-token admin fallback and keeps remote session kills on the local-admin or requester-owned path only.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-9p93-7j67-5pc2", "reference_id": "GHSA-9p93-7j67-5pc2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9p93-7j67-5pc2" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9p93-7j67-5pc2", "reference_id": "GHSA-9p93-7j67-5pc2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9p93-7j67-5pc2" } ], "fixed_packages": [], "aliases": [ "GHSA-9p93-7j67-5pc2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-812y-rb9q-m7eu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65490?format=api", "vulnerability_id": "VCID-82aq-wxf5-aka8", "summary": "OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43527", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12246", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12325", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12346", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.1234", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43527" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/66354", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/66354" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/66386", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/66386" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43527", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43527" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/024f4614a1a1831406e763adc40ef226e3d5e9ed", "reference_id": "024f4614a1a1831406e763adc40ef226e3d5e9ed", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/024f4614a1a1831406e763adc40ef226e3d5e9ed" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/1dabfef28db523e7de81edeb3dd689e9171236a2", "reference_id": "1dabfef28db523e7de81edeb3dd689e9171236a2", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/1dabfef28db523e7de81edeb3dd689e9171236a2" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/213c36cf51121ef6c05cfccd78037371f968f31a", "reference_id": "213c36cf51121ef6c05cfccd78037371f968f31a", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/213c36cf51121ef6c05cfccd78037371f968f31a" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/7eecfa411df3d12e6b810e6ca5df47254fc3db3f", "reference_id": "7eecfa411df3d12e6b810e6ca5df47254fc3db3f", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/7eecfa411df3d12e6b810e6ca5df47254fc3db3f" }, { "reference_url": "https://github.com/advisories/GHSA-53vx-pmqw-863c", "reference_id": "GHSA-53vx-pmqw-863c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-53vx-pmqw-863c" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c", "reference_id": "GHSA-53vx-pmqw-863c", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-private-network-navigation", "reference_id": "openclaw-server-side-request-forgery-via-private-network-navigation", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-private-network-navigation" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373341?format=api", "purl": "pkg:npm/openclaw@2026.4.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14" } ], "aliases": [ "CVE-2026-43527", "GHSA-53vx-pmqw-863c" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "6.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-82aq-wxf5-aka8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70360?format=api", "vulnerability_id": "VCID-84ms-aakm-x3dc", "summary": "OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42428", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05925", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05931", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05939", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05947", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42428" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42428", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42428" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:14:40Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-3vvq-q2qc-7rmp", "reference_id": "GHSA-3vvq-q2qc-7rmp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3vvq-q2qc-7rmp" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmp", "reference_id": "GHSA-3vvq-q2qc-7rmp", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:14:40Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmp" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-missing-integrity-verification-in-package-downloads", "reference_id": "openclaw-missing-integrity-verification-in-package-downloads", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:14:40Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-missing-integrity-verification-in-package-downloads" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42428", "GHSA-3vvq-q2qc-7rmp" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-84ms-aakm-x3dc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71942?format=api", "vulnerability_id": "VCID-86wa-z59e-xqgu", "summary": "OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password guesses to the webhook endpoint to compromise authentication and gain unauthorized access.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35623", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28737", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28752", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28763", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28542", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35623" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35623", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35623" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92", "reference_id": "5e08ce36d522a1c96df2bfe88e39303ae2643d92", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:54Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92" }, { "reference_url": "https://github.com/advisories/GHSA-xq8g-hgh6-87hv", "reference_id": "GHSA-xq8g-hgh6-87hv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xq8g-hgh6-87hv" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv", "reference_id": "GHSA-xq8g-hgh6-87hv", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:54Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting", "reference_id": "openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:54Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting" } ], "fixed_packages": [], "aliases": [ "CVE-2026-35623", "GHSA-xq8g-hgh6-87hv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-86wa-z59e-xqgu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359778?format=api", "vulnerability_id": "VCID-8h62-5c5b-cbdt", "summary": "OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nFeishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped `dmPolicy` enforcement for card actions, so a sender in a Feishu DM could trigger card-action flows that should have been blocked by a restrictive DM policy.\n\nThe issue is limited to Feishu card-action handling. Severity is medium.\n\n## Fix\n\nOpenClaw now resolves Feishu card-action chat type before dispatch, including API lookup when stored context is unavailable, and avoids falling through to group handling for DMs.\n\nFix commit:\n\n- `90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-72q8-jcmc-97wx", "reference_id": "GHSA-72q8-jcmc-97wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-72q8-jcmc-97wx" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-72q8-jcmc-97wx", "reference_id": "GHSA-72q8-jcmc-97wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-72q8-jcmc-97wx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373308?format=api", "purl": "pkg:npm/openclaw@2026.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20" } ], "aliases": [ "GHSA-72q8-jcmc-97wx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8h62-5c5b-cbdt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80840?format=api", "vulnerability_id": "VCID-8h7u-pr1w-z7df", "summary": "OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR and related variables to redirect git operations and compromise repository integrity.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41915", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04643", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04651", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04665", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41915" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41915", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41915" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:15:09Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-cm8v-2vh9-cxf3", "reference_id": "GHSA-cm8v-2vh9-cxf3", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cm8v-2vh9-cxf3" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cm8v-2vh9-cxf3", "reference_id": "GHSA-cm8v-2vh9-cxf3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:15:09Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cm8v-2vh9-cxf3" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-git-environment-variable-injection-via-unfiltered-exec-environment", "reference_id": "openclaw-git-environment-variable-injection-via-unfiltered-exec-environment", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:15:09Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-git-environment-variable-injection-via-unfiltered-exec-environment" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-41915", "GHSA-cm8v-2vh9-cxf3" ], "risk_score": 2.6, "exploitability": "0.5", "weighted_severity": "5.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8h7u-pr1w-z7df" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81098?format=api", "vulnerability_id": "VCID-8sps-h6k2-43c9", "summary": "OpenClaw before 2026.3.31 fails to properly sanitize PIP_INDEX_URL and UV_INDEX_URL environment variables in host execution contexts, allowing attackers to redirect Python package-index traffic. Attackers can exploit this bypass to intercept or manipulate package management operations by injecting malicious index URLs through unsanitized environment variables.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41391", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04643", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04651", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04665", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41391" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41391", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41391" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d", "reference_id": "7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:25:34Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d" }, { "reference_url": "https://github.com/advisories/GHSA-7ggg-pvrf-458v", "reference_id": "GHSA-7ggg-pvrf-458v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7ggg-pvrf-458v" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ggg-pvrf-458v", "reference_id": "GHSA-7ggg-pvrf-458v", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:25:34Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ggg-pvrf-458v" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-bypass-in-package-index-url-handling", "reference_id": "openclaw-environment-variable-bypass-in-package-index-url-handling", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:25:34Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-bypass-in-package-index-url-handling" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41391", "GHSA-7ggg-pvrf-458v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8sps-h6k2-43c9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80811?format=api", "vulnerability_id": "VCID-8x39-gcpu-yqd9", "summary": "OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairing entries and trigger pairing-reply attempts, consuming shared pairing capacity and triggering bounded relay and logging work on the Nostr channel.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41301", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01588", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01594", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01602", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01591", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41301" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41301", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41301" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/4ee742174f36b5445703e3b1ef2fbd6ae6700fa4", "reference_id": "4ee742174f36b5445703e3b1ef2fbd6ae6700fa4", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:33:12Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/4ee742174f36b5445703e3b1ef2fbd6ae6700fa4" }, { "reference_url": "https://github.com/advisories/GHSA-h43v-27wg-5mf9", "reference_id": "GHSA-h43v-27wg-5mf9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h43v-27wg-5mf9" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h43v-27wg-5mf9", "reference_id": "GHSA-h43v-27wg-5mf9", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:33:12Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h43v-27wg-5mf9" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-forged-nostr-dm-pairing-state-creation-via-signature-verification-bypass", "reference_id": "openclaw-forged-nostr-dm-pairing-state-creation-via-signature-verification-bypass", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:33:12Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-forged-nostr-dm-pairing-state-creation-via-signature-verification-bypass" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41301", "GHSA-h43v-27wg-5mf9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8x39-gcpu-yqd9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80839?format=api", "vulnerability_id": "VCID-925q-556p-q3f6", "summary": "OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41914", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11192", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11169", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11234", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11226", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41914" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41914", "reference_id": "CVE-2026-41914", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41914" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:55:12Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-3fv3-6p2v-gxwj", "reference_id": "GHSA-3fv3-6p2v-gxwj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3fv3-6p2v-gxwj" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fv3-6p2v-gxwj", "reference_id": "GHSA-3fv3-6p2v-gxwj", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:55:12Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fv3-6p2v-gxwj" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qq-bot-media-fetch-paths", "reference_id": "openclaw-server-side-request-forgery-in-qq-bot-media-fetch-paths", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:55:12Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qq-bot-media-fetch-paths" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-41914", "GHSA-3fv3-6p2v-gxwj" ], "risk_score": 3.9, "exploitability": "0.5", "weighted_severity": "7.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-925q-556p-q3f6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80609?format=api", "vulnerability_id": "VCID-9pv2-ufhu-w7g1", "summary": "OpenClaw before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway startup by exploiting enabled workspace hooks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41355", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0264", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0265", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02645", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41355" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41355", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41355" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1", "reference_id": "c02ee8a3a4cb390b23afdf21317aa8b2096854d1", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T14:22:04Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1" }, { "reference_url": "https://github.com/advisories/GHSA-42mx-vp8m-j7qh", "reference_id": "GHSA-42mx-vp8m-j7qh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-42mx-vp8m-j7qh" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-42mx-vp8m-j7qh", "reference_id": "GHSA-42mx-vp8m-j7qh", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T14:22:04Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-42mx-vp8m-j7qh" }, { "reference_url": "https://www.vulncheck.com/advisories/openshell-arbitrary-code-execution-via-mirror-mode-sandbox-file-conversion", "reference_id": "openshell-arbitrary-code-execution-via-mirror-mode-sandbox-file-conversion", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T14:22:04Z/" } ], "url": "https://www.vulncheck.com/advisories/openshell-arbitrary-code-execution-via-mirror-mode-sandbox-file-conversion" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41355", "GHSA-42mx-vp8m-j7qh" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9pv2-ufhu-w7g1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67767?format=api", "vulnerability_id": "VCID-9u9n-s6sc-2bhw", "summary": "OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44116", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15353", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15325", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.1536", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15225", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44116" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44116", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44116" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f", "reference_id": "a65eb1b864b7630c1242a82de9e5799b80583c3f", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:59:02Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f" }, { "reference_url": "https://github.com/advisories/GHSA-2hh7-c75g-qj2r", "reference_id": "GHSA-2hh7-c75g-qj2r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2hh7-c75g-qj2r" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2r", "reference_id": "GHSA-2hh7-c75g-qj2r", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:59:02Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2r" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalo-photo-url-validation", "reference_id": "openclaw-server-side-request-forgery-in-zalo-photo-url-validation", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:59:02Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalo-photo-url-validation" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375357?format=api", "purl": "pkg:npm/openclaw@2026.4.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22" } ], "aliases": [ "CVE-2026-44116", "GHSA-2hh7-c75g-qj2r" ], "risk_score": 3.9, "exploitability": "0.5", "weighted_severity": "7.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9u9n-s6sc-2bhw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359888?format=api", "vulnerability_id": "VCID-9vbr-88pv-hudj", "summary": "OpenClaw: QQ Bot structured payloads could read arbitrary local files\n## Summary\n\nBefore OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host.\n\n## Impact\n\nPrompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `2c45b06afdd6f7c621038b5419d8e661cff34a7f` — restrict QQ Bot structured payload local paths\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/2c45b06afdd6f7c621038b5419d8e661cff34a7f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/2c45b06afdd6f7c621038b5419d8e661cff34a7f" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc" }, { "reference_url": "https://github.com/advisories/GHSA-846p-hgpv-vphc", "reference_id": "GHSA-846p-hgpv-vphc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-846p-hgpv-vphc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "GHSA-846p-hgpv-vphc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9vbr-88pv-hudj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70510?format=api", "vulnerability_id": "VCID-9xv8-jtc8-ekcr", "summary": "OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42423", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17398", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17551", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17579", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17561", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42423" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42423", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42423" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-30T12:55:43Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-q2gc-xjqw-qp89", "reference_id": "GHSA-q2gc-xjqw-qp89", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q2gc-xjqw-qp89" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89", "reference_id": "GHSA-q2gc-xjqw-qp89", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-30T12:55:43Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-strictinlineeval-approval-boundary-bypass-via-approval-timeout-fallback", "reference_id": "openclaw-strictinlineeval-approval-boundary-bypass-via-approval-timeout-fallback", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-30T12:55:43Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-strictinlineeval-approval-boundary-bypass-via-approval-timeout-fallback" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42423", "GHSA-q2gc-xjqw-qp89" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "6.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9xv8-jtc8-ekcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65573?format=api", "vulnerability_id": "VCID-9zkk-mp8b-kbbg", "summary": "OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivot to internal resources via unallowlisted hostname URLs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43582", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11644", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11609", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11638", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11567", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43582" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/64367", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/64367" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43582", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43582" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/121c452d666d4749744dc2089287d0227aae2ed3", "reference_id": "121c452d666d4749744dc2089287d0227aae2ed3", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:43Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/121c452d666d4749744dc2089287d0227aae2ed3" }, { "reference_url": "https://github.com/advisories/GHSA-xq94-r468-qwgj", "reference_id": "GHSA-xq94-r468-qwgj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xq94-r468-qwgj" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xq94-r468-qwgj", "reference_id": "GHSA-xq94-r468-qwgj", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:43Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xq94-r468-qwgj" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-dns-rebinding-ssrf-via-hostname-validation-bypass", "reference_id": "openclaw-dns-rebinding-ssrf-via-hostname-validation-bypass", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:43Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-dns-rebinding-ssrf-via-hostname-validation-bypass" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "CVE-2026-43582", "GHSA-xq94-r468-qwgj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9zkk-mp8b-kbbg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70333?format=api", "vulnerability_id": "VCID-a4pw-9uzw-47ge", "summary": "OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as trusted generated media.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42424", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08741", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08738", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08745", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08697", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42424" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42424", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42424" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:12:58Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-qqq7-4hxc-x63c", "reference_id": "GHSA-qqq7-4hxc-x63c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qqq7-4hxc-x63c" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qqq7-4hxc-x63c", "reference_id": "GHSA-qqq7-4hxc-x63c", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:12:58Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qqq7-4hxc-x63c" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-local-file-exfiltration-via-shared-reply-media-paths", "reference_id": "openclaw-local-file-exfiltration-via-shared-reply-media-paths", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:12:58Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-local-file-exfiltration-via-shared-reply-media-paths" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42424", "GHSA-qqq7-4hxc-x63c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a4pw-9uzw-47ge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77785?format=api", "vulnerability_id": "VCID-a7hc-rue8-13eb", "summary": "OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33578", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02172", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02179", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02169", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02168", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33578" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33578", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33578" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/e64a881ae0fb8af18e451163f4c2d611d60cc8e4", "reference_id": "e64a881ae0fb8af18e451163f4c2d611d60cc8e4", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:25Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/e64a881ae0fb8af18e451163f4c2d611d60cc8e4" }, { "reference_url": "https://github.com/advisories/GHSA-63mg-xp9j-jfcm", "reference_id": "GHSA-63mg-xp9j-jfcm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-63mg-xp9j-jfcm" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcm", "reference_id": "GHSA-63mg-xp9j-jfcm", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:25Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcm" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-sender-policy-allowlist-bypass-via-policy-downgrade-in-google-chat-and-zalouser-extensions", "reference_id": "openclaw-sender-policy-allowlist-bypass-via-policy-downgrade-in-google-chat-and-zalouser-extensions", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:25Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-sender-policy-allowlist-bypass-via-policy-downgrade-in-google-chat-and-zalouser-extensions" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-33578", "GHSA-63mg-xp9j-jfcm" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a7hc-rue8-13eb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80845?format=api", "vulnerability_id": "VCID-a9q6-xpjm-6yfd", "summary": "OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic, circumventing intended remote viewer restrictions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41403", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.19297", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.19293", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.19316", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.19129", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41403" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41403", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41403" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/30a1690323088fd291abd11643a264a6828a002c", "reference_id": "30a1690323088fd291abd11643a264a6828a002c", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:09:33Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/30a1690323088fd291abd11643a264a6828a002c" }, { "reference_url": "https://github.com/advisories/GHSA-3xv9-89fm-7h4r", "reference_id": "GHSA-3xv9-89fm-7h4r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3xv9-89fm-7h4r" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3xv9-89fm-7h4r", "reference_id": "GHSA-3xv9-89fm-7h4r", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:09:33Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3xv9-89fm-7h4r" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-access-control-bypass-via-proxied-remote-request-misclassification", "reference_id": "openclaw-access-control-bypass-via-proxied-remote-request-misclassification", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:09:33Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-access-control-bypass-via-proxied-remote-request-misclassification" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41403", "GHSA-3xv9-89fm-7h4r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a9q6-xpjm-6yfd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/84261?format=api", "vulnerability_id": "VCID-aegc-6ab1-k7hk", "summary": "OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40037", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.1148", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11518", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11549", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11557", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40037" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40037", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40037" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:40:02Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-qx8j-g322-qj6m", "reference_id": "GHSA-qx8j-g322-qj6m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qx8j-g322-qj6m" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m", "reference_id": "GHSA-qx8j-g322-qj6m", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:40:02Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-unsafe-request-body-replay-via-fetchwithssrfguard-cross-origin-redirects", "reference_id": "openclaw-unsafe-request-body-replay-via-fetchwithssrfguard-cross-origin-redirects", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:40:02Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-unsafe-request-body-replay-via-fetchwithssrfguard-cross-origin-redirects" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-40037", "GHSA-qx8j-g322-qj6m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-aegc-6ab1-k7hk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67838?format=api", "vulnerability_id": "VCID-afjz-us2v-k7ak", "summary": "OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44112", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11306", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11262", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11296", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11237", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44112" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44112", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44112" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/7be82d4fd1193bcb7e44ee38838f00bf924ffa76", "reference_id": "7be82d4fd1193bcb7e44ee38838f00bf924ffa76", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T17:25:18Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/7be82d4fd1193bcb7e44ee38838f00bf924ffa76" }, { "reference_url": "https://github.com/advisories/GHSA-wppj-c6mr-83jj", "reference_id": "GHSA-wppj-c6mr-83jj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wppj-c6mr-83jj" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wppj-c6mr-83jj", "reference_id": "GHSA-wppj-c6mr-83jj", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T17:25:18Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wppj-c6mr-83jj" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-symlink-swap-race-condition-in-openshell-fs-bridge-writes", "reference_id": "openclaw-symlink-swap-race-condition-in-openshell-fs-bridge-writes", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T17:25:18Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-symlink-swap-race-condition-in-openshell-fs-bridge-writes" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375357?format=api", "purl": "pkg:npm/openclaw@2026.4.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22" } ], "aliases": [ "CVE-2026-44112", "GHSA-wppj-c6mr-83jj" ], "risk_score": 4.3, "exploitability": "0.5", "weighted_severity": "8.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-afjz-us2v-k7ak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359857?format=api", "vulnerability_id": "VCID-agtk-z6cf-1bh7", "summary": "OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS\n## Summary\nImage pixel-limit guard can fail open on sips and allow decompression-bomb DoS\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Shipped v2026.3.28 image processing could fail open on oversized pixel counts and allow decompression-bomb DoS, an availability issue that is valid at medium.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `0ed4f8a72bb140045962e97ab01c94c076b758a4` — 2026-03-31T22:52:55+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/advisories/GHSA-w85g-3h6x-4xh2", "reference_id": "GHSA-w85g-3h6x-4xh2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w85g-3h6x-4xh2" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w85g-3h6x-4xh2", "reference_id": "GHSA-w85g-3h6x-4xh2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w85g-3h6x-4xh2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "GHSA-w85g-3h6x-4xh2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-agtk-z6cf-1bh7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80686?format=api", "vulnerability_id": "VCID-b3av-6zna-sugm", "summary": "OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having their discovered URL survive the trust decline process into manual prompts requiring operator acceptance.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41300", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11201", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11225", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11259", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11268", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41300" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/2a75416634837c21ed05b8c3ed906eb7a7807060", "reference_id": "2a75416634837c21ed05b8c3ed906eb7a7807060", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:02:56Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/2a75416634837c21ed05b8c3ed906eb7a7807060" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41300", "reference_id": "CVE-2026-41300", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41300" }, { "reference_url": "https://github.com/advisories/GHSA-9f4w-67g7-mqwv", "reference_id": "GHSA-9f4w-67g7-mqwv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9f4w-67g7-mqwv" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f4w-67g7-mqwv", "reference_id": "GHSA-9f4w-67g7-mqwv", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:02:56Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9f4w-67g7-mqwv" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-attacker-discovered-endpoint-preservation-in-remote-onboarding", "reference_id": "openclaw-attacker-discovered-endpoint-preservation-in-remote-onboarding", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:02:56Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-attacker-discovered-endpoint-preservation-in-remote-onboarding" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41300", "GHSA-9f4w-67g7-mqwv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b3av-6zna-sugm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78329?format=api", "vulnerability_id": "VCID-b3nv-4pe7-fyhj", "summary": "OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired nodes beyond their authorization level.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33577", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03539", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03543", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03529", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03525", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33577" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33577", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33577" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/4d7cc6bb4fac68b5a5fadd1c5a23168281221f34", "reference_id": "4d7cc6bb4fac68b5a5fadd1c5a23168281221f34", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:41Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/4d7cc6bb4fac68b5a5fadd1c5a23168281221f34" }, { "reference_url": "https://github.com/advisories/GHSA-2x4x-cc5g-qmmg", "reference_id": "GHSA-2x4x-cc5g-qmmg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2x4x-cc5g-qmmg" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2x4x-cc5g-qmmg", "reference_id": "GHSA-2x4x-cc5g-qmmg", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:41Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2x4x-cc5g-qmmg" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-insufficient-scope-validation-in-node-pair-approve", "reference_id": "openclaw-insufficient-scope-validation-in-node-pair-approve", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:41Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-scope-validation-in-node-pair-approve" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-33577", "GHSA-2x4x-cc5g-qmmg" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b3nv-4pe7-fyhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80897?format=api", "vulnerability_id": "VCID-bdx2-c7m3-xbfv", "summary": "OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized operators.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41394", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27196", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.272", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27216", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26992", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41394" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41394", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41394" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/2a1db0c0f1fa375004a95ba0ef030534790a6d47", "reference_id": "2a1db0c0f1fa375004a95ba0ef030534790a6d47", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:51:37Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/2a1db0c0f1fa375004a95ba0ef030534790a6d47" }, { "reference_url": "https://github.com/advisories/GHSA-mhgq-xpfq-6r66", "reference_id": "GHSA-mhgq-xpfq-6r66", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mhgq-xpfq-6r66" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mhgq-xpfq-6r66", "reference_id": "GHSA-mhgq-xpfq-6r66", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:51:37Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mhgq-xpfq-6r66" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-unauthorized-operator-scope-access-in-unauthenticated-plugin-auth-routes", "reference_id": "openclaw-unauthorized-operator-scope-access-in-unauthenticated-plugin-auth-routes", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:51:37Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-unauthorized-operator-scope-access-in-unauthenticated-plugin-auth-routes" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41394", "GHSA-mhgq-xpfq-6r66" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bdx2-c7m3-xbfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80716?format=api", "vulnerability_id": "VCID-bfj1-xxkp-aubu", "summary": "OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during OpenClaw startup.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41294", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03534", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03538", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03524", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.0352", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41294" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/6a793248024dca7685f63bcceb64a0096fd1586d", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/6a793248024dca7685f63bcceb64a0096fd1586d" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41294", "reference_id": "CVE-2026-41294", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41294" }, { "reference_url": "https://github.com/advisories/GHSA-8rh7-6779-cjqq", "reference_id": "GHSA-8rh7-6779-cjqq", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8rh7-6779-cjqq" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8rh7-6779-cjqq", "reference_id": "GHSA-8rh7-6779-cjqq", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:04:21Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8rh7-6779-cjqq" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-cwd-env-file", "reference_id": "openclaw-environment-variable-injection-via-cwd-env-file", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:04:21Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-cwd-env-file" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41294", "GHSA-8rh7-6779-cjqq" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bfj1-xxkp-aubu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80706?format=api", "vulnerability_id": "VCID-bj4f-1qy4-33g7", "summary": "OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41384", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03602", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03606", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03593", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03587", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41384" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41384", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41384" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24", "reference_id": "c2fb7f1948c3226732a630256b5179a60664ec24", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:11:06Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24" }, { "reference_url": "https://github.com/advisories/GHSA-vfw7-6rhc-6xxg", "reference_id": "GHSA-vfw7-6rhc-6xxg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vfw7-6rhc-6xxg" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg", "reference_id": "GHSA-vfw7-6rhc-6xxg", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:11:06Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-config-in-cli-backend", "reference_id": "openclaw-environment-variable-injection-via-workspace-config-in-cli-backend", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:11:06Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-config-in-cli-backend" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "CVE-2026-41384", "GHSA-vfw7-6rhc-6xxg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bj4f-1qy4-33g7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77812?format=api", "vulnerability_id": "VCID-bnzw-duu7-7fgu", "summary": "OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33580", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20006", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20175", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20199", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20178", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33580" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33580", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33580" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd", "reference_id": "e403decb6e20091b5402780a7ccd2085f98aa3cd", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:18:43Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd" }, { "reference_url": "https://github.com/advisories/GHSA-9528-x887-j2fp", "reference_id": "GHSA-9528-x887-j2fp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9528-x887-j2fp" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp", "reference_id": "GHSA-9528-x887-j2fp", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:18:43Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication", "reference_id": "openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:18:43Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-33580", "GHSA-9528-x887-j2fp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bnzw-duu7-7fgu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359760?format=api", "vulnerability_id": "VCID-bqwy-vw6g-uudj", "summary": "OpenClaw: Media download follows cross-origin redirects with Authorization headers intact\n## Summary\nMedia download follows cross-origin redirects with Authorization headers intact\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Shipped v2026.3.28 media downloads forwarded Authorization across cross-origin redirects, a real in-scope credential-leak class that fits medium.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `e704323ff388ed21f6963f9b8e0b1b8dfaaabc5f` — 2026-03-31T19:57:42+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/advisories/GHSA-68v4-hmwv-f43h", "reference_id": "GHSA-68v4-hmwv-f43h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-68v4-hmwv-f43h" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-68v4-hmwv-f43h", "reference_id": "GHSA-68v4-hmwv-f43h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-68v4-hmwv-f43h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "GHSA-68v4-hmwv-f43h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bqwy-vw6g-uudj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81133?format=api", "vulnerability_id": "VCID-brzy-7832-5bhh", "summary": "OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation. Attackers can exploit this by declaring operator scopes on non-Control-UI clients, allowing self-declared scopes to persist on identity-bearing authentication paths and escalate privileges.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41404", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29844", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29846", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29862", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00114", "scoring_system": "epss", "scoring_elements": "0.29647", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41404" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/8b88b927cb0747ad24d95b07d35682bf85dc5b0e", "reference_id": "8b88b927cb0747ad24d95b07d35682bf85dc5b0e", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:38:09Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/8b88b927cb0747ad24d95b07d35682bf85dc5b0e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41404", "reference_id": "CVE-2026-41404", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41404" }, { "reference_url": "https://github.com/advisories/GHSA-g374-mggx-p6xc", "reference_id": "GHSA-g374-mggx-p6xc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g374-mggx-p6xc" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g374-mggx-p6xc", "reference_id": "GHSA-g374-mggx-p6xc", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:38:09Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g374-mggx-p6xc" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-operator-admin-privilege-escalation-via-trusted-proxy-authentication", "reference_id": "openclaw-operator-admin-privilege-escalation-via-trusted-proxy-authentication", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:38:09Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-operator-admin-privilege-escalation-via-trusted-proxy-authentication" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41404", "GHSA-g374-mggx-p6xc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-brzy-7832-5bhh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360037?format=api", "vulnerability_id": "VCID-bt5u-3vwp-rqcw", "summary": "Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-9528-x887-j2fp. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33580", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33580" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp", "reference_id": "GHSA-9528-x887-j2fp", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp" }, { "reference_url": "https://github.com/advisories/GHSA-gm9m-x74r-8whg", "reference_id": "GHSA-gm9m-x74r-8whg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gm9m-x74r-8whg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-gm9m-x74r-8whg" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bt5u-3vwp-rqcw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359267?format=api", "vulnerability_id": "VCID-bvyn-2c5r-4bce", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42427", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10976", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11038", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11034", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11003", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42427" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7437-7hg8-frrw", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7437-7hg8-frrw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42427", "reference_id": "CVE-2026-42427", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42427" }, { "reference_url": "https://github.com/advisories/GHSA-7437-7hg8-frrw", "reference_id": "GHSA-7437-7hg8-frrw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7437-7hg8-frrw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42427", "GHSA-7437-7hg8-frrw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bvyn-2c5r-4bce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67891?format=api", "vulnerability_id": "VCID-c3fa-2u7p-pkgn", "summary": "OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44109", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42226", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42239", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42248", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42062", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44109" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/66707", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/66707" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44109", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44109" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae", "reference_id": "c8003f1b33ed2924be5f62131bd28742c5a41aae", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-07T12:34:48Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae" }, { "reference_url": "https://github.com/advisories/GHSA-xh72-v6v9-mwhc", "reference_id": "GHSA-xh72-v6v9-mwhc", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xh72-v6v9-mwhc" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc", "reference_id": "GHSA-xh72-v6v9-mwhc", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-07T12:34:48Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-feishu-webhook-and-card-action-validation", "reference_id": "openclaw-authentication-bypass-in-feishu-webhook-and-card-action-validation", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-07T12:34:48Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-feishu-webhook-and-card-action-validation" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373280?format=api", "purl": "pkg:npm/openclaw@2026.4.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15" } ], "aliases": [ "CVE-2026-44109", "GHSA-xh72-v6v9-mwhc" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c3fa-2u7p-pkgn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70133?format=api", "vulnerability_id": "VCID-c3hg-hct8-eqbv", "summary": "OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42436", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10623", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10601", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10626", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10563", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42436" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/66040", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/66040" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42436", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42436" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/b75ad800a59009fc47eaa3471410f69046150e59", "reference_id": "b75ad800a59009fc47eaa3471410f69046150e59", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:04Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/b75ad800a59009fc47eaa3471410f69046150e59" }, { "reference_url": "https://github.com/advisories/GHSA-c4qm-58hj-j6pj", "reference_id": "GHSA-c4qm-58hj-j6pj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c4qm-58hj-j6pj" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qm-58hj-j6pj", "reference_id": "GHSA-c4qm-58hj-j6pj", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:04Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qm-58hj-j6pj" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-internal-page-content-exposure-via-browser-snapshot-and-screenshot-routes", "reference_id": "openclaw-internal-page-content-exposure-via-browser-snapshot-and-screenshot-routes", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:04Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-internal-page-content-exposure-via-browser-snapshot-and-screenshot-routes" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373341?format=api", "purl": "pkg:npm/openclaw@2026.4.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14" } ], "aliases": [ "CVE-2026-42436", "GHSA-c4qm-58hj-j6pj" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "6.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c3hg-hct8-eqbv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71722?format=api", "vulnerability_id": "VCID-c723-znew-ebhm", "summary": "OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility route, bypassing the stricter WebSocket RPC authorization checks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35619", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10993", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11023", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11053", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11056", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35619" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35619", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35619" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/06de515b6c42816b62ec752e1c221cab67b38501", "reference_id": "06de515b6c42816b62ec752e1c221cab67b38501", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:05:44Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/06de515b6c42816b62ec752e1c221cab67b38501" }, { "reference_url": "https://github.com/advisories/GHSA-68f8-9mhj-h2mp", "reference_id": "GHSA-68f8-9mhj-h2mp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-68f8-9mhj-h2mp" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-68f8-9mhj-h2mp", "reference_id": "GHSA-68f8-9mhj-h2mp", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:05:44Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-68f8-9mhj-h2mp" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-http-v1-models-endpoint", "reference_id": "openclaw-authorization-bypass-via-http-v1-models-endpoint", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:05:44Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-http-v1-models-endpoint" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "CVE-2026-35619", "GHSA-68f8-9mhj-h2mp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c723-znew-ebhm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81024?format=api", "vulnerability_id": "VCID-c7gn-3t5r-j7bu", "summary": "OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41346", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00169", "scoring_system": "epss", "scoring_elements": "0.37896", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00169", "scoring_system": "epss", "scoring_elements": "0.38086", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00169", "scoring_system": "epss", "scoring_elements": "0.38098", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00169", "scoring_system": "epss", "scoring_elements": "0.38073", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41346" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41346", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41346" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/9bc1f896c8cd325dd4761681e9bdb8c425f69785", "reference_id": "9bc1f896c8cd325dd4761681e9bdb8c425f69785", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:38:52Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/9bc1f896c8cd325dd4761681e9bdb8c425f69785" }, { "reference_url": "https://github.com/advisories/GHSA-wwfp-w96m-c6x8", "reference_id": "GHSA-wwfp-w96m-c6x8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wwfp-w96m-c6x8" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wwfp-w96m-c6x8", "reference_id": "GHSA-wwfp-w96m-c6x8", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:38:52Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wwfp-w96m-c6x8" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement", "reference_id": "openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:38:52Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41346", "GHSA-wwfp-w96m-c6x8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c7gn-3t5r-j7bu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69923?format=api", "vulnerability_id": "VCID-c8dt-7z8a-qufe", "summary": "OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45003", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01333", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01834", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01826", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45003" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45003", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45003" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/0623079e98abf7202591f1b04a89755eb7ec9272", "reference_id": "0623079e98abf7202591f1b04a89755eb7ec9272", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "4.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:02Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/0623079e98abf7202591f1b04a89755eb7ec9272" }, { "reference_url": "https://github.com/advisories/GHSA-55cf-xx38-4p9p", "reference_id": "GHSA-55cf-xx38-4p9p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-55cf-xx38-4p9p" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-55cf-xx38-4p9p", "reference_id": "GHSA-55cf-xx38-4p9p", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:02Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-55cf-xx38-4p9p" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-connector-endpoint-host-override-via-workspace-dotenv-files", "reference_id": "openclaw-connector-endpoint-host-override-via-workspace-dotenv-files", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "4.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:02Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-connector-endpoint-host-override-via-workspace-dotenv-files" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375357?format=api", "purl": "pkg:npm/openclaw@2026.4.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22" } ], "aliases": [ "CVE-2026-45003", "GHSA-55cf-xx38-4p9p" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c8dt-7z8a-qufe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359957?format=api", "vulnerability_id": "VCID-c8mh-j256-j3aa", "summary": "## Impact\n\nOpenClaw Host-Exec Environment Variable Injection.\n\nHost exec could inherit environment variables that influence interpreters, shells, or build tools.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.28`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @wsparks-vc for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-w9j9-w4cp-6wgr", "reference_id": "GHSA-w9j9-w4cp-6wgr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w9j9-w4cp-6wgr" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9j9-w4cp-6wgr", "reference_id": "GHSA-w9j9-w4cp-6wgr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9j9-w4cp-6wgr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "GHSA-w9j9-w4cp-6wgr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c8mh-j256-j3aa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67686?format=api", "vulnerability_id": "VCID-cbdg-vzrj-puc2", "summary": "OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes, enabling code injection when operators start sessions using those servers.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44995", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01927", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02796", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02786", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02801", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44995" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44995", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44995" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/62fa5071896e95edc7f67d1cebc70a2859e283af", "reference_id": "62fa5071896e95edc7f67d1cebc70a2859e283af", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T17:56:23Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/62fa5071896e95edc7f67d1cebc70a2859e283af" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/85d86ebc4bf3d2226d39d132a484f4f7a299fa1b", "reference_id": "85d86ebc4bf3d2226d39d132a484f4f7a299fa1b", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T17:56:23Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/85d86ebc4bf3d2226d39d132a484f4f7a299fa1b" }, { "reference_url": "https://github.com/advisories/GHSA-mj59-h3q9-ghfh", "reference_id": "GHSA-mj59-h3q9-ghfh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mj59-h3q9-ghfh" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh", "reference_id": "GHSA-mj59-h3q9-ghfh", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T17:56:23Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-mcp-stdio-environment-variables", "reference_id": "openclaw-arbitrary-code-execution-via-mcp-stdio-environment-variables", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T17:56:23Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-mcp-stdio-environment-variables" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373308?format=api", "purl": "pkg:npm/openclaw@2026.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20" } ], "aliases": [ "CVE-2026-44995", "GHSA-mj59-h3q9-ghfh" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cbdg-vzrj-puc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67718?format=api", "vulnerability_id": "VCID-cf4u-fs5p-3ue3", "summary": "OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44117", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14214", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14184", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14211", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14096", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44117" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44117", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44117" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/49db424c8001f2f419aad85f434894d8d85c1a09", "reference_id": "49db424c8001f2f419aad85f434894d8d85c1a09", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:33:16Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/49db424c8001f2f419aad85f434894d8d85c1a09" }, { "reference_url": "https://github.com/advisories/GHSA-c4qg-j8jg-42q5", "reference_id": "GHSA-c4qg-j8jg-42q5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c4qg-j8jg-42q5" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5", "reference_id": "GHSA-c4qg-j8jg-42q5", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:33:16Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qqbot-direct-media-upload", "reference_id": "openclaw-server-side-request-forgery-in-qqbot-direct-media-upload", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:33:16Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qqbot-direct-media-upload" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373308?format=api", "purl": "pkg:npm/openclaw@2026.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20" } ], "aliases": [ "CVE-2026-44117", "GHSA-c4qg-j8jg-42q5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cf4u-fs5p-3ue3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70398?format=api", "vulnerability_id": "VCID-cfj6-nuq4-wudw", "summary": "OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that escalates identity-bearing operator.read requests to runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42429", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20608", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20609", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.2063", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20432", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42429" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42429", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42429" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:09:14Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-4f8g-77mw-3rxc", "reference_id": "GHSA-4f8g-77mw-3rxc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4f8g-77mw-3rxc" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4f8g-77mw-3rxc", "reference_id": "GHSA-4f8g-77mw-3rxc", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:09:14Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4f8g-77mw-3rxc" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication", "reference_id": "openclaw-privilege-escalation-via-gateway-plugin-http-authentication", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:09:14Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42429", "GHSA-4f8g-77mw-3rxc" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cfj6-nuq4-wudw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359911?format=api", "vulnerability_id": "VCID-cj2h-dvh1-1bhx", "summary": "OpenClaw: SSH-based sandbox backends pass unsanitized process.env to child processes\n## Summary\nSSH-based sandbox backends pass unsanitized process.env to child processes\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: Shipped SSH sandbox paths leaked unsanitized env into local SSH child processes, but remote leakage needs non-default SSH env forwarding, so lower to low.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `cfe14459531e002a1c61c27d97ec7dc8aecddc1f` — 2026-03-30T20:05:57+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/advisories/GHSA-j9pv-rrcj-6pfx", "reference_id": "GHSA-j9pv-rrcj-6pfx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j9pv-rrcj-6pfx" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j9pv-rrcj-6pfx", "reference_id": "GHSA-j9pv-rrcj-6pfx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j9pv-rrcj-6pfx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "GHSA-j9pv-rrcj-6pfx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cj2h-dvh1-1bhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65518?format=api", "vulnerability_id": "VCID-crh9-tw4p-2bgr", "summary": "OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43567", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10419", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10447", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10473", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10471", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43567" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/63551", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/63551" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/635bb35b68d8faa5bfa2fda35feadd315122748a", "reference_id": "635bb35b68d8faa5bfa2fda35feadd315122748a", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:42Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/635bb35b68d8faa5bfa2fda35feadd315122748a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43567", "reference_id": "CVE-2026-43567", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43567" }, { "reference_url": "https://github.com/advisories/GHSA-jf25-7968-h2h5", "reference_id": "GHSA-jf25-7968-h2h5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jf25-7968-h2h5" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf25-7968-h2h5", "reference_id": "GHSA-jf25-7968-h2h5", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:42Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf25-7968-h2h5" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-path-traversal-in-screen-record-outpath-parameter", "reference_id": "openclaw-path-traversal-in-screen-record-outpath-parameter", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:42Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-path-traversal-in-screen-record-outpath-parameter" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "CVE-2026-43567", "GHSA-jf25-7968-h2h5" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-crh9-tw4p-2bgr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65603?format=api", "vulnerability_id": "VCID-d34s-z46v-gygk", "summary": "OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43573", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11234", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11192", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11226", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11169", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43573" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/64370", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/64370" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43573", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43573" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/daeb74920d5ad986cb600625180037e23221e93a", "reference_id": "daeb74920d5ad986cb600625180037e23221e93a", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:59Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/daeb74920d5ad986cb600625180037e23221e93a" }, { "reference_url": "https://github.com/advisories/GHSA-527m-976r-jf79", "reference_id": "GHSA-527m-976r-jf79", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-527m-976r-jf79" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79", "reference_id": "GHSA-527m-976r-jf79", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:59Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-existing-session-browser-interaction-routes", "reference_id": "openclaw-ssrf-policy-bypass-in-existing-session-browser-interaction-routes", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:59Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-existing-session-browser-interaction-routes" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "CVE-2026-43573", "GHSA-527m-976r-jf79" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "6.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d34s-z46v-gygk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71572?format=api", "vulnerability_id": "VCID-d8dy-y1mu-bqgc", "summary": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or reflection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35654", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.1248", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.124", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12491", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.125", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35654" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea", "reference_id": "c5415a474bb085404c20f8b312e436997977b1ea", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:43:38Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35654", "reference_id": "CVE-2026-35654", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35654" }, { "reference_url": "https://github.com/advisories/GHSA-rf6h-5gpw-qrgq", "reference_id": "GHSA-rf6h-5gpw-qrgq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rf6h-5gpw-qrgq" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq", "reference_id": "GHSA-rf6h-5gpw-qrgq", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:43:38Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke", "reference_id": "openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:43:38Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-35654", "GHSA-rf6h-5gpw-qrgq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d8dy-y1mu-bqgc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360033?format=api", "vulnerability_id": "VCID-djr4-azeh-mfap", "summary": "OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure\n## Summary\n\nThe jq safe-bin policy blocked explicit `env` usage but still allowed jq programs that accessed environment data through `$ENV`.\n\n## Impact\n\nAn operator-approved safe-bin jq command could disclose environment variables that the safe-bin policy was supposed to keep out of scope.\n\n## Affected Component\n\n`src/infra/exec-safe-bin-semantics.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `78e2f3d66d` (`Exec: tighten jq safe-bin env checks`).\n\nThanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/78e2f3d66d74e5c7e6f45c54162e63986e39771b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/78e2f3d66d74e5c7e6f45c54162e63986e39771b" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h" }, { "reference_url": "https://github.com/advisories/GHSA-jccr-rrw2-vc8h", "reference_id": "GHSA-jccr-rrw2-vc8h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jccr-rrw2-vc8h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-jccr-rrw2-vc8h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-djr4-azeh-mfap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81026?format=api", "vulnerability_id": "VCID-dtva-truu-4qac", "summary": "OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver duplicate webhook messages to unintended targets.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41402", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11329", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11388", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11355", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11399", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41402" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41402", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41402" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf", "reference_id": "4d038bb242c11f39e45f6a4bde400e5fd42e4ebf", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:17:15Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf" }, { "reference_url": "https://github.com/advisories/GHSA-hhq4-97c2-p447", "reference_id": "GHSA-hhq4-97c2-p447", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hhq4-97c2-p447" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hhq4-97c2-p447", "reference_id": "GHSA-hhq4-97c2-p447", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:17:15Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hhq4-97c2-p447" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-webhook-replay-cache-cross-target-messageid-scope-bypass", "reference_id": "openclaw-webhook-replay-cache-cross-target-messageid-scope-bypass", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:17:15Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-webhook-replay-cache-cross-target-messageid-scope-bypass" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41402", "GHSA-hhq4-97c2-p447" ], "risk_score": 1.9, "exploitability": "0.5", "weighted_severity": "3.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dtva-truu-4qac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67782?format=api", "vulnerability_id": "VCID-e327-pu9e-x7gh", "summary": "OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that bypass subagent-only constraints, potentially escalating privileges or accessing restricted resources.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44997", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.0842", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09884", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09871", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09886", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44997" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44997", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44997" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/31160dc069b7cc5d833b39c53736a41ad3befda2", "reference_id": "31160dc069b7cc5d833b39c53736a41ad3befda2", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:34Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/31160dc069b7cc5d833b39c53736a41ad3befda2" }, { "reference_url": "https://github.com/advisories/GHSA-q3jj-46pq-826r", "reference_id": "GHSA-q3jj-46pq-826r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3jj-46pq-826r" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q3jj-46pq-826r", "reference_id": "GHSA-q3jj-46pq-826r", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:34Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q3jj-46pq-826r" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-security-envelope-constraint-bypass-in-acp-child-sessions", "reference_id": "openclaw-security-envelope-constraint-bypass-in-acp-child-sessions", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:34Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-security-envelope-constraint-bypass-in-acp-child-sessions" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375357?format=api", "purl": "pkg:npm/openclaw@2026.4.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22" } ], "aliases": [ "CVE-2026-44997", "GHSA-q3jj-46pq-826r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e327-pu9e-x7gh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359872?format=api", "vulnerability_id": "VCID-e351-abpr-7fhx", "summary": "Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34425", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34425" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q", "reference_id": "GHSA-fvx6-pj3r-5q4q", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q" }, { "reference_url": "https://github.com/advisories/GHSA-rf75-g96h-j3rm", "reference_id": "GHSA-rf75-g96h-j3rm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rf75-g96h-j3rm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "GHSA-rf75-g96h-j3rm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e351-abpr-7fhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360110?format=api", "vulnerability_id": "VCID-e6cf-mh6h-pqgn", "summary": "OpenClaw SSRF guard misses four IPv6 special-use ranges\n## Summary\n\nThe SSRF/IP classifier treated several IPv6 special-use ranges as public and allowed fetches to proceed.\n\n## Impact\n\nAn attacker who controlled a fetched URL could target internal or non-routable IPv6 addresses that should have been blocked by the SSRF guard.\n\n## Affected Component\n\n`src/shared/net/ip.ts, src/infra/net/ssrf.*`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `d61f8e5672` (`Net: block missing IPv6 special-use ranges`).\n\nOpenClaw thanks @nicky-cc of Tencent zhuque Lab [https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard) for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d61f8e56723e03573b847422468d99c44c26e34f", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/d61f8e56723e03573b847422468d99c44c26e34f" }, { "reference_url": "https://github.com/advisories/GHSA-g86v-f9qv-rh6m", "reference_id": "GHSA-g86v-f9qv-rh6m", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g86v-f9qv-rh6m" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g86v-f9qv-rh6m", "reference_id": "GHSA-g86v-f9qv-rh6m", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g86v-f9qv-rh6m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-g86v-f9qv-rh6m" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e6cf-mh6h-pqgn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359800?format=api", "vulnerability_id": "VCID-e6q6-e2my-gfce", "summary": "OpenClaw: Media Parsing Path Traversal Leads to Arbitrary File Read\n## Summary\nOpenClaw <= 2026.3.24 Media Parsing Path Traversal to Arbitrary File Read\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.24`\n- Patched versions: `>= 2026.3.28`\n- First stable tag containing the fix: `v2026.3.28`\n\n## Fix Commit(s)\n- `4797bbc5b96e2cca5532e43b58915c051746fe37` — 2026-03-25T13:35:16-06:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.28`.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-f6pf-4gjx-c94r", "reference_id": "GHSA-f6pf-4gjx-c94r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f6pf-4gjx-c94r" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r", "reference_id": "GHSA-f6pf-4gjx-c94r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-f6pf-4gjx-c94r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e6q6-e2my-gfce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80750?format=api", "vulnerability_id": "VCID-e84v-kdtb-5ycs", "summary": "OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers can send Discord voice ingress requests before channel allowlist authorization is performed, gaining unauthorized access to restricted voice channels.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41381", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10467", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10444", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1047", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10415", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41381" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41381", "reference_id": "CVE-2026-41381", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41381" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759", "reference_id": "dba96e7507e0900f120e5e28e57755d69bf78759", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:29:48Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759" }, { "reference_url": "https://github.com/advisories/GHSA-cqgw-44wg-44rf", "reference_id": "GHSA-cqgw-44wg-44rf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cqgw-44wg-44rf" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqgw-44wg-44rf", "reference_id": "GHSA-cqgw-44wg-44rf", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:29:48Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqgw-44wg-44rf" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-access-control-bypass-in-discord-voice-manager-via-channel-allowlist", "reference_id": "openclaw-access-control-bypass-in-discord-voice-manager-via-channel-allowlist", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:29:48Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-access-control-bypass-in-discord-voice-manager-via-channel-allowlist" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41381", "GHSA-cqgw-44wg-44rf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e84v-kdtb-5ycs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67649?format=api", "vulnerability_id": "VCID-e8sz-63dk-tfbs", "summary": "OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands like /send, /config, or /debug on affected channels to bypass owner-only command authorization checks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44991", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09004", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10527", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1055", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44991" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44991", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44991" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/2aa93d44a1b2c7058c371f261fda2b5d4de4a882", "reference_id": "2aa93d44a1b2c7058c371f261fda2b5d4de4a882", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:26:30Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/2aa93d44a1b2c7058c371f261fda2b5d4de4a882" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/995febb7b1e811ff6a1df5b18c22de94103f4c9f", "reference_id": "995febb7b1e811ff6a1df5b18c22de94103f4c9f", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:26:30Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/995febb7b1e811ff6a1df5b18c22de94103f4c9f" }, { "reference_url": "https://github.com/advisories/GHSA-c28g-vh7m-fm7v", "reference_id": "GHSA-c28g-vh7m-fm7v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c28g-vh7m-fm7v" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c28g-vh7m-fm7v", "reference_id": "GHSA-c28g-vh7m-fm7v", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:26:30Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c28g-vh7m-fm7v" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-owner-enforced-commands-via-wildcard-channel-senders", "reference_id": "openclaw-authorization-bypass-in-owner-enforced-commands-via-wildcard-channel-senders", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:26:30Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-owner-enforced-commands-via-wildcard-channel-senders" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374221?format=api", "purl": "pkg:npm/openclaw@2026.4.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.21" } ], "aliases": [ "CVE-2026-44991", "GHSA-c28g-vh7m-fm7v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e8sz-63dk-tfbs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65588?format=api", "vulnerability_id": "VCID-eaeg-e381-nyh5", "summary": "OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43533", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.2024", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20414", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20437", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20416", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43533" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/63271", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/63271" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/604777e4414cc3b2ff8861f18f4fb04374c702c6", "reference_id": "604777e4414cc3b2ff8861f18f4fb04374c702c6", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:41:49Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/604777e4414cc3b2ff8861f18f4fb04374c702c6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43533", "reference_id": "CVE-2026-43533", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43533" }, { "reference_url": "https://github.com/advisories/GHSA-66r7-m7xm-v49h", "reference_id": "GHSA-66r7-m7xm-v49h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-66r7-m7xm-v49h" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h", "reference_id": "GHSA-66r7-m7xm-v49h", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:41:49Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-qqbot-media-tags", "reference_id": "openclaw-arbitrary-local-file-read-via-qqbot-media-tags", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:41:49Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-qqbot-media-tags" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "CVE-2026-43533", "GHSA-66r7-m7xm-v49h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eaeg-e381-nyh5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80632?format=api", "vulnerability_id": "VCID-ed61-sus3-3yh9", "summary": "OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root and reply context messages that should be filtered by sender allowlists, bypassing access controls.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41376", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04399", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04382", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04384", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04394", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41376" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41376", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41376" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/8a563d603b70ef6338915f0527bee87282c3bad5", "reference_id": "8a563d603b70ef6338915f0527bee87282c3bad5", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:35Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/8a563d603b70ef6338915f0527bee87282c3bad5" }, { "reference_url": "https://github.com/advisories/GHSA-rg8m-3943-vm6q", "reference_id": "GHSA-rg8m-3943-vm6q", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rg8m-3943-vm6q" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rg8m-3943-vm6q", "reference_id": "GHSA-rg8m-3943-vm6q", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:35Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rg8m-3943-vm6q" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-matrix-thread-context-allowlist-bypass-via-sender-validation", "reference_id": "openclaw-matrix-thread-context-allowlist-bypass-via-sender-validation", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:35Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-matrix-thread-context-allowlist-bypass-via-sender-validation" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41376", "GHSA-rg8m-3943-vm6q" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ed61-sus3-3yh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360432?format=api", "vulnerability_id": "VCID-eefn-gpc1-mfdx", "summary": "OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes\n## Summary\n\nThe agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations.\n\n## Impact\n\nA prompt-injected or otherwise compromised model running with access to the owner-only `gateway` tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` on npm\n- Affected: versions before `2026.4.23`\n- Fixed: `2026.4.23`\n- Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23`\n\n## Fix\n\nOpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven `gateway config.apply` and `gateway config.patch` now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked.\n\n## Fix Commit(s)\n\n- `bceda6089aa7b3695cc7696b43c61ae3d01bb0ec` (`fix(gateway): fail closed on runtime config edits`)\n\n## Severity\n\nSeverity remains `high`. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-cwj3-vqpp-pmxr", "reference_id": "GHSA-cwj3-vqpp-pmxr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cwj3-vqpp-pmxr" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwj3-vqpp-pmxr", "reference_id": "GHSA-cwj3-vqpp-pmxr", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwj3-vqpp-pmxr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375456?format=api", "purl": "pkg:npm/openclaw@2026.4.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.23" } ], "aliases": [ "GHSA-cwj3-vqpp-pmxr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eefn-gpc1-mfdx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359834?format=api", "vulnerability_id": "VCID-eju9-rz5x-1bbk", "summary": "Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34511", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34511" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf", "reference_id": "GHSA-9jpj-g8vv-j5mf", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf" }, { "reference_url": "https://github.com/advisories/GHSA-ch86-pxr9-j9h9", "reference_id": "GHSA-ch86-pxr9-j9h9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ch86-pxr9-j9h9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "GHSA-ch86-pxr9-j9h9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eju9-rz5x-1bbk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71792?format=api", "vulnerability_id": "VCID-epaf-29e7-kue8", "summary": "OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35668", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.1702", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.17161", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.17188", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.17175", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35668" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35668", "reference_id": "CVE-2026-35668", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35668" }, { "reference_url": "https://github.com/advisories/GHSA-hr5v-j9h9-xjhg", "reference_id": "GHSA-hr5v-j9h9-xjhg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hr5v-j9h9-xjhg" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg", "reference_id": "GHSA-hr5v-j9h9-xjhg", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:26:56Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters", "reference_id": "openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:26:56Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "CVE-2026-35668", "GHSA-hr5v-j9h9-xjhg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-epaf-29e7-kue8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80760?format=api", "vulnerability_id": "VCID-esve-n4ww-rudc", "summary": "OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41377", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11771", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11742", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11765", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11687", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41377" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/0d7f1e2c84eca65df7dee890d9c30e2a841c030a", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/0d7f1e2c84eca65df7dee890d9c30e2a841c030a" }, { "reference_url": "https://github.com/openclaw/openclaw/44b993613601280d46a5b88190e46669fc13d669", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/44b993613601280d46a5b88190e46669fc13d669" }, { "reference_url": "https://github.com/openclaw/openclaw/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41377", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41377" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/0d7f1e2c84eca65df7dee890d9c30e2a841c030a", "reference_id": "0d7f1e2c84eca65df7dee890d9c30e2a841c030a", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/0d7f1e2c84eca65df7dee890d9c30e2a841c030a" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/44b993613601280d46a5b88190e46669fc13d669", "reference_id": "44b993613601280d46a5b88190e46669fc13d669", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/44b993613601280d46a5b88190e46669fc13d669" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/7a953a52271b9188a5fa830739a4366614ff9916", "reference_id": "7a953a52271b9188a5fa830739a4366614ff9916", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/7a953a52271b9188a5fa830739a4366614ff9916" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68", "reference_id": "bf96c67fd1954740aeabfadc7cfe3098bcfc6b68", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68" }, { "reference_url": "https://github.com/advisories/GHSA-cwq8-6f96-g3q4", "reference_id": "GHSA-cwq8-6f96-g3q4", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cwq8-6f96-g3q4" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4", "reference_id": "GHSA-cwq8-6f96-g3q4", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-fail-open-security-scan-bypass-in-plugin-installation", "reference_id": "openclaw-fail-open-security-scan-bypass-in-plugin-installation", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-fail-open-security-scan-bypass-in-plugin-installation" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41377", "GHSA-cwq8-6f96-g3q4" ], "risk_score": 2.3, "exploitability": "0.5", "weighted_severity": "4.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-esve-n4ww-rudc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65528?format=api", "vulnerability_id": "VCID-f22e-sy58-g7fb", "summary": "OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43569", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00116", "scoring_system": "epss", "scoring_elements": "0.30192", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00116", "scoring_system": "epss", "scoring_elements": "0.3019", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00116", "scoring_system": "epss", "scoring_elements": "0.30209", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00116", "scoring_system": "epss", "scoring_elements": "0.29996", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43569" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/62368", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/62368" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43569", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43569" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/2d97eae53e212ae26f3aebcd6a50ffc6877f770d", "reference_id": "2d97eae53e212ae26f3aebcd6a50ffc6877f770d", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:42:35Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/2d97eae53e212ae26f3aebcd6a50ffc6877f770d" }, { "reference_url": "https://github.com/advisories/GHSA-939r-rj45-g2rj", "reference_id": "GHSA-939r-rj45-g2rj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-939r-rj45-g2rj" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-939r-rj45-g2rj", "reference_id": "GHSA-939r-rj45-g2rj", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:42:35Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-939r-rj45-g2rj" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-untrusted-provider-plugin-auto-enablement-via-workspace-provider-auth", "reference_id": "openclaw-untrusted-provider-plugin-auto-enablement-via-workspace-provider-auth", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:42:35Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-untrusted-provider-plugin-auto-enablement-via-workspace-provider-auth" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373416?format=api", "purl": "pkg:npm/openclaw@2026.4.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-bdss-ct5q-cyak" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vbfg-fz5c-9yde" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.9" } ], "aliases": [ "CVE-2026-43569", "GHSA-939r-rj45-g2rj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f22e-sy58-g7fb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75183?format=api", "vulnerability_id": "VCID-f5q3-7bm2-1kgw", "summary": "OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34504", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.18076", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.18068", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.18092", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17917", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34504" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34504", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34504" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/80d1e8a11a2ac118c7f7a70bba9c862b6141d928", "reference_id": "80d1e8a11a2ac118c7f7a70bba9c862b6141d928", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:21:09Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/80d1e8a11a2ac118c7f7a70bba9c862b6141d928" }, { "reference_url": "https://github.com/advisories/GHSA-qxgf-hmcj-3xw3", "reference_id": "GHSA-qxgf-hmcj-3xw3", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qxgf-hmcj-3xw3" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3", "reference_id": "GHSA-qxgf-hmcj-3xw3", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:21:09Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider", "reference_id": "openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:21:09Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-34504", "GHSA-qxgf-hmcj-3xw3" ], "risk_score": 3.8, "exploitability": "0.5", "weighted_severity": "7.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f5q3-7bm2-1kgw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70371?format=api", "vulnerability_id": "VCID-f925-x5qa-buav", "summary": "OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42439", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11169", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11192", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11226", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11234", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42439" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/48c03479211799ec3c1305ad69037cea25ba0e1e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/48c03479211799ec3c1305ad69037cea25ba0e1e" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/63332", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/63332" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42439", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42439" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/48c0347921b7e9438af0312968fc360ca88023f3", "reference_id": "48c0347921b7e9438af0312968fc360ca88023f3", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T14:03:51Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/48c0347921b7e9438af0312968fc360ca88023f3" }, { "reference_url": "https://github.com/advisories/GHSA-rj2p-j66c-mgqh", "reference_id": "GHSA-rj2p-j66c-mgqh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rj2p-j66c-mgqh" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj2p-j66c-mgqh", "reference_id": "GHSA-rj2p-j66c-mgqh", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T14:03:51Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj2p-j66c-mgqh" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-browser-tabs-action-routes", "reference_id": "openclaw-ssrf-policy-bypass-in-browser-tabs-action-routes", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T14:03:51Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-browser-tabs-action-routes" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "CVE-2026-42439", "GHSA-rj2p-j66c-mgqh" ], "risk_score": 3.9, "exploitability": "0.5", "weighted_severity": "7.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f925-x5qa-buav" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70622?format=api", "vulnerability_id": "VCID-f95y-gnx3-wydp", "summary": "OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner message-tool runs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42433", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09884", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09871", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09886", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09834", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42433" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/62662", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/62662" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42433", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42433" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/fe0f686c9228fffcec6de4011da45e69a6e23e54", "reference_id": "fe0f686c9228fffcec6de4011da45e69a6e23e54", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:48:50Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/fe0f686c9228fffcec6de4011da45e69a6e23e54" }, { "reference_url": "https://github.com/advisories/GHSA-7jp6-r74r-995q", "reference_id": "GHSA-7jp6-r74r-995q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7jp6-r74r-995q" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jp6-r74r-995q", "reference_id": "GHSA-7jp6-r74r-995q", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:48:50Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jp6-r74r-995q" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-unauthorized-matrix-profile-config-persistence-access-via-operator-write-message-tools", "reference_id": "openclaw-unauthorized-matrix-profile-config-persistence-access-via-operator-write-message-tools", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:48:50Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-unauthorized-matrix-profile-config-persistence-access-via-operator-write-message-tools" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "CVE-2026-42433", "GHSA-7jp6-r74r-995q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f95y-gnx3-wydp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70438?format=api", "vulnerability_id": "VCID-fcfw-yctj-v3cy", "summary": "OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and PS4, affecting execution semantics and security controls.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42435", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31188", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.3138", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31399", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00124", "scoring_system": "epss", "scoring_elements": "0.31381", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42435" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/65717", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/65717" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/8f8492d172f4c5b4fd7dd9a47855ed620c8770ab", "reference_id": "8f8492d172f4c5b4fd7dd9a47855ed620c8770ab", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:30:14Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/8f8492d172f4c5b4fd7dd9a47855ed620c8770ab" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42435", "reference_id": "CVE-2026-42435", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42435" }, { "reference_url": "https://github.com/advisories/GHSA-j6c7-3h5x-99g9", "reference_id": "GHSA-j6c7-3h5x-99g9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j6c7-3h5x-99g9" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j6c7-3h5x-99g9", "reference_id": "GHSA-j6c7-3h5x-99g9", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:30:14Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j6c7-3h5x-99g9" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-shell-wrapper-detection-bypass-via-environment-variable-assignment-injection", "reference_id": "openclaw-shell-wrapper-detection-bypass-via-environment-variable-assignment-injection", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:30:14Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-shell-wrapper-detection-bypass-via-environment-variable-assignment-injection" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373522?format=api", "purl": "pkg:npm/openclaw@2026.4.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12" } ], "aliases": [ "CVE-2026-42435", "GHSA-j6c7-3h5x-99g9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fcfw-yctj-v3cy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69771?format=api", "vulnerability_id": "VCID-fgkb-fmuq-wffh", "summary": "OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious extensions/<plugin>/setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45004", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02795", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03606", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03593", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03602", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45004" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45004", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45004" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/993781e6e6eaf50f033cfc3e3bf4f47059740707", "reference_id": "993781e6e6eaf50f033cfc3e3bf4f47059740707", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:30:14Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/993781e6e6eaf50f033cfc3e3bf4f47059740707" }, { "reference_url": "https://github.com/advisories/GHSA-r39h-4c2p-3jxp", "reference_id": "GHSA-r39h-4c2p-3jxp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r39h-4c2p-3jxp" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r39h-4c2p-3jxp", "reference_id": "GHSA-r39h-4c2p-3jxp", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:30:14Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r39h-4c2p-3jxp" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-setup-api-js-in-current-working-directory", "reference_id": "openclaw-arbitrary-code-execution-via-setup-api-js-in-current-working-directory", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:30:14Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-setup-api-js-in-current-working-directory" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375456?format=api", "purl": "pkg:npm/openclaw@2026.4.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.23" } ], "aliases": [ "CVE-2026-45004", "GHSA-r39h-4c2p-3jxp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fgkb-fmuq-wffh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359840?format=api", "vulnerability_id": "VCID-fzag-upa9-n7cr", "summary": "OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses\n## Summary\nSandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Released workspace-only apply_patch remove and mkdir operations were still check-then-act, but the draft overstates scope by bundling broader edit paths; keep it open but narrow it to the actual sandbox-workspace mutation boundary.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `32a4a47d602e0618f87b3e59f94d8c142767f860` — 2026-03-30T16:49:49+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/advisories/GHSA-rm5c-4rmf-vvhw", "reference_id": "GHSA-rm5c-4rmf-vvhw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rm5c-4rmf-vvhw" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rm5c-4rmf-vvhw", "reference_id": "GHSA-rm5c-4rmf-vvhw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rm5c-4rmf-vvhw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "GHSA-rm5c-4rmf-vvhw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fzag-upa9-n7cr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360178?format=api", "vulnerability_id": "VCID-g2hf-mzjs-2fbn", "summary": "Duplicate Advisory: OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hc5h-pmr3-3497. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33579", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33579" }, { "reference_url": "https://github.com/advisories/GHSA-f275-5h5c-5wg5", "reference_id": "GHSA-f275-5h5c-5wg5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f275-5h5c-5wg5" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497", "reference_id": "GHSA-hc5h-pmr3-3497", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-f275-5h5c-5wg5" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g2hf-mzjs-2fbn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80745?format=api", "vulnerability_id": "VCID-gd62-paxx-abgy", "summary": "OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41916", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25318", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25115", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25313", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25331", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41916" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41916", "reference_id": "CVE-2026-41916", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41916" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:00:46Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-68x5-xx89-w9mm", "reference_id": "GHSA-68x5-xx89-w9mm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-68x5-xx89-w9mm" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-68x5-xx89-w9mm", "reference_id": "GHSA-68x5-xx89-w9mm", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:00:46Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-68x5-xx89-w9mm" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-stale-authentication-state-via-config-reload", "reference_id": "openclaw-stale-authentication-state-via-config-reload", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:00:46Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-stale-authentication-state-via-config-reload" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-41916", "GHSA-68x5-xx89-w9mm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gd62-paxx-abgy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359253?format=api", "vulnerability_id": "VCID-gh64-hwfz-p3ep", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41380", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08327", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08365", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08367", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08363", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41380" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/9ec44fad390f0bc1c29c3cc418b322560cb0222b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/9ec44fad390f0bc1c29c3cc418b322560cb0222b" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41380", "reference_id": "CVE-2026-41380", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41380" }, { "reference_url": "https://github.com/advisories/GHSA-p4x4-2r7f-wjxg", "reference_id": "GHSA-p4x4-2r7f-wjxg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p4x4-2r7f-wjxg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41380", "GHSA-p4x4-2r7f-wjxg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gh64-hwfz-p3ep" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81072?format=api", "vulnerability_id": "VCID-h5h5-c9az-4be3", "summary": "OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin trust root directory.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41396", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02642", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02643", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02633", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02637", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41396" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41396", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41396" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289", "reference_id": "330a9f98cb29c79b1c16a2117e03d6276a0d6289", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T19:16:36Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289" }, { "reference_url": "https://github.com/advisories/GHSA-qcj9-wwgw-6gm8", "reference_id": "GHSA-qcj9-wwgw-6gm8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qcj9-wwgw-6gm8" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcj9-wwgw-6gm8", "reference_id": "GHSA-qcj9-wwgw-6gm8", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T19:16:36Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcj9-wwgw-6gm8" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-override-of-plugin-trust-root", "reference_id": "openclaw-environment-variable-override-of-plugin-trust-root", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T19:16:36Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-override-of-plugin-trust-root" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41396", "GHSA-qcj9-wwgw-6gm8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h5h5-c9az-4be3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75226?format=api", "vulnerability_id": "VCID-h6wv-azua-wkgw", "summary": "OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34425", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07494", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07512", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.0752", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07527", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34425" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34425", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34425" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513", "reference_id": "8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:00:24Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513" }, { "reference_url": "https://github.com/advisories/GHSA-fvx6-pj3r-5q4q", "reference_id": "GHSA-fvx6-pj3r-5q4q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fvx6-pj3r-5q4q" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q", "reference_id": "GHSA-fvx6-pj3r-5q4q", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:00:24Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass", "reference_id": "openclaw-shell-bleed-protection-preflight-validation-bypass", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:00:24Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-34425", "GHSA-fvx6-pj3r-5q4q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h6wv-azua-wkgw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74642?format=api", "vulnerability_id": "VCID-h77b-c2kq-8kej", "summary": "OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34511", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13235", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13215", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13241", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13138", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34511" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34511", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34511" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f", "reference_id": "a26f4d0f3ef0757db6c6c40277cc06a5de76c52f", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T16:56:07Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f" }, { "reference_url": "https://github.com/advisories/GHSA-9jpj-g8vv-j5mf", "reference_id": "GHSA-9jpj-g8vv-j5mf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9jpj-g8vv-j5mf" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf", "reference_id": "GHSA-9jpj-g8vv-j5mf", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T16:56:07Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter", "reference_id": "openclaw-pkce-verifier-exposure-via-oauth-state-parameter", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T16:56:07Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-34511", "GHSA-9jpj-g8vv-j5mf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h77b-c2kq-8kej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65597?format=api", "vulnerability_id": "VCID-h78a-py8h-ekgj", "summary": "OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43584", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33695", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33871", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33896", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33874", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43584" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43584", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43584" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140", "reference_id": "2d126fc62343a7b6895351f96e4e1474bc358140", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:02:18Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140" }, { "reference_url": "https://github.com/advisories/GHSA-vfp4-8x56-j7c5", "reference_id": "GHSA-vfp4-8x56-j7c5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vfp4-8x56-j7c5" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5", "reference_id": "GHSA-vfp4-8x56-j7c5", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:02:18Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy", "reference_id": "openclaw-insufficient-environment-variable-denylist-in-exec-policy", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:02:18Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "CVE-2026-43584", "GHSA-vfp4-8x56-j7c5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h78a-py8h-ekgj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359785?format=api", "vulnerability_id": "VCID-hbkd-8rx2-4qb8", "summary": "OpenClaw: Agent gateway config mutations could change protected operator settings\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nThe agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings.\n\nThis is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium.\n\n## Fix\n\nOpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching.\n\nFix commit:\n\n- `fe30b31a97a917ecc6e92f6c85378b6b20352422`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-7jm2-g593-4qrc", "reference_id": "GHSA-7jm2-g593-4qrc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7jm2-g593-4qrc" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jm2-g593-4qrc", "reference_id": "GHSA-7jm2-g593-4qrc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jm2-g593-4qrc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373308?format=api", "purl": "pkg:npm/openclaw@2026.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20" } ], "aliases": [ "GHSA-7jm2-g593-4qrc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hbkd-8rx2-4qb8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359258?format=api", "vulnerability_id": "VCID-hh2g-pzbh-13ax", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41406", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14355", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14477", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14474", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14448", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41406" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/f45e5a6569aab1d58cc6de25b19f1dc4c8779b85", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/f45e5a6569aab1d58cc6de25b19f1dc4c8779b85" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-877v-w3f5-3pcq", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-877v-w3f5-3pcq" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41406", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41406" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-thread-history-and-quoted-messages", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-thread-history-and-quoted-messages" }, { "reference_url": "https://github.com/advisories/GHSA-877v-w3f5-3pcq", "reference_id": "GHSA-877v-w3f5-3pcq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-877v-w3f5-3pcq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41406", "GHSA-877v-w3f5-3pcq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hh2g-pzbh-13ax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80877?format=api", "vulnerability_id": "VCID-hrnb-5t6m-jkaq", "summary": "OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41910", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25317", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25322", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25334", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25118", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41910" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41910", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41910" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:04:48Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-vc32-h5mq-453v", "reference_id": "GHSA-vc32-h5mq-453v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vc32-h5mq-453v" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v", "reference_id": "GHSA-vc32-h5mq-453v", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:04:48Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-missing-owner-only-enforcement-in-allowlist-cross-channel-writes", "reference_id": "openclaw-missing-owner-only-enforcement-in-allowlist-cross-channel-writes", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:04:48Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-missing-owner-only-enforcement-in-allowlist-cross-channel-writes" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-41910", "GHSA-vc32-h5mq-453v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hrnb-5t6m-jkaq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81006?format=api", "vulnerability_id": "VCID-j13w-x4ky-8yhd", "summary": "OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files to execute untrusted code or load malicious credentials.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41332", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05633", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05643", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05651", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05658", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41332" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/6eb82fba3cbfd0e50b179c1fada92e1e22dce7fa", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/6eb82fba3cbfd0e50b179c1fada92e1e22dce7fa" }, { "reference_url": "https://github.com/advisories/GHSA-m866-6qv5-p2fg", "reference_id": "GHSA-m866-6qv5-p2fg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m866-6qv5-p2fg" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m866-6qv5-p2fg", "reference_id": "GHSA-m866-6qv5-p2fg", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:46:25Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m866-6qv5-p2fg" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-code-execution-via-missing-environment-variable-blocklist", "reference_id": "openclaw-code-execution-via-missing-environment-variable-blocklist", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:46:25Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-code-execution-via-missing-environment-variable-blocklist" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41332", "GHSA-m866-6qv5-p2fg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j13w-x4ky-8yhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65483?format=api", "vulnerability_id": "VCID-jarm-du2f-1uef", "summary": "OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and preflight read, causing the validator to inspect a different file identity than the one that passed the initial boundary check.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43529", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02153", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02158", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02149", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.0215", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43529" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/62333", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/62333" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/b024fae9e5df43e9b69b2daebb72be3469d52e91", "reference_id": "b024fae9e5df43e9b69b2daebb72be3469d52e91", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:18:03Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/b024fae9e5df43e9b69b2daebb72be3469d52e91" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43529", "reference_id": "CVE-2026-43529", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43529" }, { "reference_url": "https://github.com/advisories/GHSA-gj9q-8w99-mp8j", "reference_id": "GHSA-gj9q-8w99-mp8j", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gj9q-8w99-mp8j" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j", "reference_id": "GHSA-gj9q-8w99-mp8j", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:18:03Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-toctou-race-condition-in-exec-script-preflight-validator", "reference_id": "openclaw-time-of-check-time-of-use-toctou-race-condition-in-exec-script-preflight-validator", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:18:03Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-toctou-race-condition-in-exec-script-preflight-validator" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "CVE-2026-43529", "GHSA-gj9q-8w99-mp8j" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jarm-du2f-1uef" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360332?format=api", "vulnerability_id": "VCID-jdbz-6b2q-xyav", "summary": "OpenClaw's Gateway Control UI bootstrap config required Gateway auth\n## Summary\nGateway Control UI bootstrap config required Gateway auth.\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: <= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nWhen Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions.\n\n## Fix\nThe bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling.\n\n## Fix Commit(s)\n- 2321d67263bc710e357644d59f746b08d891051b\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nOpenClaw thanks @zsxsoft for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-93rg-2xm5-2p9v", "reference_id": "GHSA-93rg-2xm5-2p9v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-93rg-2xm5-2p9v" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-93rg-2xm5-2p9v", "reference_id": "GHSA-93rg-2xm5-2p9v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-93rg-2xm5-2p9v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375357?format=api", "purl": "pkg:npm/openclaw@2026.4.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22" } ], "aliases": [ "GHSA-93rg-2xm5-2p9v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jdbz-6b2q-xyav" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80642?format=api", "vulnerability_id": "VCID-jj5g-2uaq-tua3", "summary": "OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system configurations and compromise host execution integrity.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41369", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.1726", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17412", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.1744", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17425", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41369" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/eb8de6715f02949c21c4e895fffc8a6dcb00975c", "reference_id": "eb8de6715f02949c21c4e895fffc8a6dcb00975c", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:01:58Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/eb8de6715f02949c21c4e895fffc8a6dcb00975c" }, { "reference_url": "https://github.com/advisories/GHSA-cg7q-fg22-4g98", "reference_id": "GHSA-cg7q-fg22-4g98", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cg7q-fg22-4g98" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg7q-fg22-4g98", "reference_id": "GHSA-cg7q-fg22-4g98", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:01:58Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg7q-fg22-4g98" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-host-execution", "reference_id": "openclaw-insufficient-environment-variable-sanitization-in-host-execution", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:01:58Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-host-execution" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41369", "GHSA-cg7q-fg22-4g98" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jj5g-2uaq-tua3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81044?format=api", "vulnerability_id": "VCID-jnbs-cnfs-nkb5", "summary": "OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41347", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04721", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.047", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04707", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0472", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41347" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41347", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41347" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d", "reference_id": "6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:35:10Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d" }, { "reference_url": "https://github.com/advisories/GHSA-mhr7-2xmv-4c4q", "reference_id": "GHSA-mhr7-2xmv-4c4q", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mhr7-2xmv-4c4q" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mhr7-2xmv-4c4q", "reference_id": "GHSA-mhr7-2xmv-4c4q", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:35:10Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mhr7-2xmv-4c4q" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-cross-site-request-forgery-via-missing-browser-origin-validation-in-http-operator-endpoints", "reference_id": "openclaw-cross-site-request-forgery-via-missing-browser-origin-validation-in-http-operator-endpoints", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:35:10Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-cross-site-request-forgery-via-missing-browser-origin-validation-in-http-operator-endpoints" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41347", "GHSA-mhr7-2xmv-4c4q" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jnbs-cnfs-nkb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359880?format=api", "vulnerability_id": "VCID-jwnv-j7hq-sbh9", "summary": "OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths\n## Summary\n\nThe QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set.\n\n## Impact\n\nWhen the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy.\n\n## Affected versions\n\n- Affected: `< 2026.4.15`\n- Patched: `2026.4.15`\n\n## Fix\n\nOpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient.\n\nVerified in `v2026.4.15`:\n\n- `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path.\n- `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior.\n\nFix commit included in `v2026.4.15` and absent from `v2026.4.14`:\n\n- `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026\n\nThanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/66026", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/66026" }, { "reference_url": "https://github.com/advisories/GHSA-f934-5rqf-xx47", "reference_id": "GHSA-f934-5rqf-xx47", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f934-5rqf-xx47" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f934-5rqf-xx47", "reference_id": "GHSA-f934-5rqf-xx47", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f934-5rqf-xx47" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373280?format=api", "purl": "pkg:npm/openclaw@2026.4.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15" } ], "aliases": [ "GHSA-f934-5rqf-xx47" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jwnv-j7hq-sbh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359257?format=api", "vulnerability_id": "VCID-jzvr-jz7v-q3h1", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41405", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00228", "scoring_system": "epss", "scoring_elements": "0.45758", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00228", "scoring_system": "epss", "scoring_elements": "0.45903", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00228", "scoring_system": "epss", "scoring_elements": "0.45911", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00228", "scoring_system": "epss", "scoring_elements": "0.45897", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41405" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/3834d47099dd13c8244ed6de8b9ea9855c553623", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/3834d47099dd13c8244ed6de8b9ea9855c553623" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p464-m8x6-vhv8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p464-m8x6-vhv8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41405", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41405" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-ms-teams-webhook-body-parsing", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-ms-teams-webhook-body-parsing" }, { "reference_url": "https://github.com/advisories/GHSA-p464-m8x6-vhv8", "reference_id": "GHSA-p464-m8x6-vhv8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p464-m8x6-vhv8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41405", "GHSA-p464-m8x6-vhv8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jzvr-jz7v-q3h1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71677?format=api", "vulnerability_id": "VCID-k1fs-5s5j-xyh6", "summary": "OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35618", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13335", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13424", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13449", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13444", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35618" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35618", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35618" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "reference_id": "630f1479c44f78484dfa21bb407cbe6f171dac87", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:33:06Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b", "reference_id": "b0ce53a79cf63834660270513e26d921899b4e5b", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:33:06Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b" }, { "reference_url": "https://github.com/advisories/GHSA-cg6c-q2hx-69h7", "reference_id": "GHSA-cg6c-q2hx-69h7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cg6c-q2hx-69h7" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7", "reference_id": "GHSA-cg6c-q2hx-69h7", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:33:06Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification", "reference_id": "openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:33:06Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373851?format=api", "purl": "pkg:npm/openclaw@2026.3.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2d6p-8jxd-1yc4" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4n9g-ymdq-6fhd" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4srt-x1xb-xqa8" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-54js-czwp-jkce" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5k9d-n6kg-g3bn" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bj4f-1qy4-33g7" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c723-znew-ebhm" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-epaf-29e7-kue8" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-qx6n-dk9c-8yd3" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-ub5p-bp37-hff5" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-w49b-cbcg-abat" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-ye9d-bzdx-bbeq" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.23" } ], "aliases": [ "CVE-2026-35618", "GHSA-cg6c-q2hx-69h7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k1fs-5s5j-xyh6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359842?format=api", "vulnerability_id": "VCID-kact-h3hk-d7eg", "summary": "OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0\n## Summary\n\nSandbox browser CDP relay could expose DevTools protocol on 0.0.0.0.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nThe sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intended local/sandbox source range.\n\n## Technical Details\n\nThe fix enforces CDP source-range restriction by default and avoids broad `0.0.0.0` exposure unless explicitly configured.\n\n## Fix\n\nThe issue was fixed in #61404. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `fbf11ebdb7110632f93926d0ac7b48f04cb44d77`\n- PR: #61404\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/61404", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/61404" }, { "reference_url": "https://github.com/advisories/GHSA-525j-hqq2-66r4", "reference_id": "GHSA-525j-hqq2-66r4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-525j-hqq2-66r4" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-525j-hqq2-66r4", "reference_id": "GHSA-525j-hqq2-66r4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-525j-hqq2-66r4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "GHSA-525j-hqq2-66r4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kact-h3hk-d7eg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81033?format=api", "vulnerability_id": "VCID-kdn3-sa62-4bef", "summary": "OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate revoked Tlon configuration from file state, bypassing intended revocation controls.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41388", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12968", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12957", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12978", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12872", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41388" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/a4d72a83f01fedd35964c352e3473c7712a3511b", "reference_id": "a4d72a83f01fedd35964c352e3473c7712a3511b", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:28:29Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/a4d72a83f01fedd35964c352e3473c7712a3511b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41388", "reference_id": "CVE-2026-41388", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41388" }, { "reference_url": "https://github.com/advisories/GHSA-3pm9-5j7m-59vc", "reference_id": "GHSA-3pm9-5j7m-59vc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3pm9-5j7m-59vc" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3pm9-5j7m-59vc", "reference_id": "GHSA-3pm9-5j7m-59vc", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:28:29Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3pm9-5j7m-59vc" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-configuration-rehydration-via-empty-array-revocation-handling", "reference_id": "openclaw-configuration-rehydration-via-empty-array-revocation-handling", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:28:29Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-configuration-rehydration-via-empty-array-revocation-handling" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41388", "GHSA-3pm9-5j7m-59vc" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kdn3-sa62-4bef" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70463?format=api", "vulnerability_id": "VCID-kfmd-usy4-afbu", "summary": "OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF protections.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42430", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10161", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10151", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10166", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10114", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42430" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42430", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42430" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:56:41Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-w8g9-x8gx-crmm", "reference_id": "GHSA-w8g9-x8gx-crmm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w8g9-x8gx-crmm" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w8g9-x8gx-crmm", "reference_id": "GHSA-w8g9-x8gx-crmm", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:56:41Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w8g9-x8gx-crmm" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-strict-browser-ssrf-bypass-via-playwright-redirect-handling", "reference_id": "openclaw-strict-browser-ssrf-bypass-via-playwright-redirect-handling", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:56:41Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-strict-browser-ssrf-bypass-via-playwright-redirect-handling" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42430", "GHSA-w8g9-x8gx-crmm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kfmd-usy4-afbu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65585?format=api", "vulnerability_id": "VCID-kkqe-kjun-mufe", "summary": "OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43526", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14157", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14245", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14273", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14276", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43526" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/08ae021d1f42905a85a550813c0d95169b171a6c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/08ae021d1f42905a85a550813c0d95169b171a6c" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/63495", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/63495" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/65788", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/65788" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43526", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43526" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a", "reference_id": "08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:24:17Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d", "reference_id": "ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:24:17Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d" }, { "reference_url": "https://github.com/advisories/GHSA-2767-2q9v-9326", "reference_id": "GHSA-2767-2q9v-9326", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2767-2q9v-9326" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326", "reference_id": "GHSA-2767-2q9v-9326", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:24:17Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-qqbot-reply-media-url-handling", "reference_id": "openclaw-server-side-request-forgery-via-qqbot-reply-media-url-handling", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:24:17Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-qqbot-reply-media-url-handling" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373522?format=api", "purl": "pkg:npm/openclaw@2026.4.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12" } ], "aliases": [ "CVE-2026-43526", "GHSA-2767-2q9v-9326" ], "risk_score": 3.8, "exploitability": "0.5", "weighted_severity": "7.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kkqe-kjun-mufe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360054?format=api", "vulnerability_id": "VCID-kkw6-d2rs-9uh3", "summary": "OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events\n## Summary\n\nBlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nBlueBubbles group reaction events previously bypassed `requireMention` and still enqueued agent-visible system events in groups that were supposed to stay mention-gated. Commit `f8c98630785288cc1f1d0893503ef3b653a3cede` applies the reaction path to the same mention gate as normal group messages.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `f8c98630785288cc1f1d0893503ef3b653a3cede`.\n\n## Fix Commit(s)\n\n- `f8c98630785288cc1f1d0893503ef3b653a3cede`", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-mw7w-g3mg-xqm7", "reference_id": "GHSA-mw7w-g3mg-xqm7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mw7w-g3mg-xqm7" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7", "reference_id": "GHSA-mw7w-g3mg-xqm7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7" } ], "fixed_packages": [], "aliases": [ "GHSA-mw7w-g3mg-xqm7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kkw6-d2rs-9uh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80969?format=api", "vulnerability_id": "VCID-kprt-1prq-n7bt", "summary": "OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment variables to circumvent proxy settings, TLS verification, Docker restrictions, and Git TLS enforcement.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41330", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02847", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02841", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02831", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02838", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41330" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41330", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41330" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/4d912e04519b4bd53b248437c53748cdebce9a41", "reference_id": "4d912e04519b4bd53b248437c53748cdebce9a41", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:39:14Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/4d912e04519b4bd53b248437c53748cdebce9a41" }, { "reference_url": "https://github.com/advisories/GHSA-9gp8-hjxr-6f34", "reference_id": "GHSA-9gp8-hjxr-6f34", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9gp8-hjxr-6f34" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9gp8-hjxr-6f34", "reference_id": "GHSA-9gp8-hjxr-6f34", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:39:14Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9gp8-hjxr-6f34" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-override-via-host-exec-policy", "reference_id": "openclaw-environment-variable-override-via-host-exec-policy", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:39:14Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-override-via-host-exec-policy" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41330", "GHSA-9gp8-hjxr-6f34" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kprt-1prq-n7bt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359254?format=api", "vulnerability_id": "VCID-kxyq-t74z-p3gf", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41385", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0392", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03939", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03928", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.0394", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41385" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/57700d716f660591fb6e09727f3ca8041fa48b9d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/57700d716f660591fb6e09727f3ca8041fa48b9d" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjw7-3vjf-fg5j", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjw7-3vjf-fg5j" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41385", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41385" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-nostr-private-key-exposure-via-config-get-redaction-bypass", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vulncheck.com/advisories/openclaw-nostr-private-key-exposure-via-config-get-redaction-bypass" }, { "reference_url": "https://github.com/advisories/GHSA-jjw7-3vjf-fg5j", "reference_id": "GHSA-jjw7-3vjf-fg5j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jjw7-3vjf-fg5j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41385", "GHSA-jjw7-3vjf-fg5j" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kxyq-t74z-p3gf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71936?format=api", "vulnerability_id": "VCID-m3h2-6en6-2ye4", "summary": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35657", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09011", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.0905", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09062", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.0906", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35657" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/1c45123231516fa50f8cf8522ba5ff2fb2ca7aea", "reference_id": "1c45123231516fa50f8cf8522ba5ff2fb2ca7aea", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:28:43Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/1c45123231516fa50f8cf8522ba5ff2fb2ca7aea" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35657", "reference_id": "CVE-2026-35657", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35657" }, { "reference_url": "https://github.com/advisories/GHSA-5jvj-hxmh-6h6j", "reference_id": "GHSA-5jvj-hxmh-6h6j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5jvj-hxmh-6h6j" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5jvj-hxmh-6h6j", "reference_id": "GHSA-5jvj-hxmh-6h6j", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:28:43Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5jvj-hxmh-6h6j" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-http-session-history-route", "reference_id": "openclaw-authorization-bypass-in-http-session-history-route", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:28:43Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-http-session-history-route" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374938?format=api", "purl": "pkg:npm/openclaw@2026.3.25", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.25" }, { "url": "http://public2.vulnerablecode.io/api/packages/981079?format=api", "purl": "pkg:npm/openclaw@2026.3.28-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28-beta.1" } ], "aliases": [ "CVE-2026-35657", "GHSA-5jvj-hxmh-6h6j" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m3h2-6en6-2ye4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80817?format=api", "vulnerability_id": "VCID-m4qc-8d4v-dbe2", "summary": "OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process code execution before the plugin is explicitly trusted.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41295", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03587", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03606", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03593", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03602", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41295" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0", "reference_id": "53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:35:15Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41295", "reference_id": "CVE-2026-41295", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41295" }, { "reference_url": "https://github.com/advisories/GHSA-2qrv-rc5x-2g2h", "reference_id": "GHSA-2qrv-rc5x-2g2h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2qrv-rc5x-2g2h" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2qrv-rc5x-2g2h", "reference_id": "GHSA-2qrv-rc5x-2g2h", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:35:15Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2qrv-rc5x-2g2h" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-channel-shadow-code-execution-during-built-in-channel-setup", "reference_id": "openclaw-untrusted-workspace-channel-shadow-code-execution-during-built-in-channel-setup", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:35:15Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-channel-shadow-code-execution-during-built-in-channel-setup" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-41295", "GHSA-2qrv-rc5x-2g2h" ], "risk_score": 3.9, "exploitability": "0.5", "weighted_severity": "7.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m4qc-8d4v-dbe2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80996?format=api", "vulnerability_id": "VCID-m8ba-t6kp-3kcx", "summary": "OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse directory boundaries through symlink exploitation during file synchronization operations. Remote attackers can bypass sandbox restrictions by crafting malicious symlinks in mirror sync operations to access arbitrary files outside intended boundaries.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41397", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.2259", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.22777", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.22797", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.22785", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41397" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41397", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41397" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/3b9dab0ece4643a9643e6a45459f5c709d3ce320", "reference_id": "3b9dab0ece4643a9643e6a45459f5c709d3ce320", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:37:54Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/3b9dab0ece4643a9643e6a45459f5c709d3ce320" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1", "reference_id": "c02ee8a3a4cb390b23afdf21317aa8b2096854d1", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:37:54Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1" }, { "reference_url": "https://github.com/advisories/GHSA-cwf8-44x6-32c2", "reference_id": "GHSA-cwf8-44x6-32c2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cwf8-44x6-32c2" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwf8-44x6-32c2", "reference_id": "GHSA-cwf8-44x6-32c2", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:37:54Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwf8-44x6-32c2" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-unrestricted-file-sync-and-symlink-traversal", "reference_id": "openclaw-sandbox-escape-via-unrestricted-file-sync-and-symlink-traversal", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:37:54Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-unrestricted-file-sync-and-symlink-traversal" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41397", "GHSA-cwf8-44x6-32c2" ], "risk_score": 4.3, "exploitability": "0.5", "weighted_severity": "8.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m8ba-t6kp-3kcx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359866?format=api", "vulnerability_id": "VCID-mdss-pw9y-7kh6", "summary": "Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-3h52-cx59-c456. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35640", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35640" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456", "reference_id": "GHSA-3h52-cx59-c456", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456" }, { "reference_url": "https://github.com/advisories/GHSA-8f9r-gr6r-x63q", "reference_id": "GHSA-8f9r-gr6r-x63q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8f9r-gr6r-x63q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-8f9r-gr6r-x63q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mdss-pw9y-7kh6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80985?format=api", "vulnerability_id": "VCID-msr2-gsjh-1bat", "summary": "OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for external channels. Attackers can bypass authentication restrictions to arm or disarm phone channels without proper administrative privileges.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41375", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25322", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25118", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25317", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25334", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41375" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/aa66ae1fc797d3298cc409ed2c5da69a89950a45", "reference_id": "aa66ae1fc797d3298cc409ed2c5da69a89950a45", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:26:54Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/aa66ae1fc797d3298cc409ed2c5da69a89950a45" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41375", "reference_id": "CVE-2026-41375", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41375" }, { "reference_url": "https://github.com/advisories/GHSA-h2v7-xc88-xx8c", "reference_id": "GHSA-h2v7-xc88-xx8c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h2v7-xc88-xx8c" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h2v7-xc88-xx8c", "reference_id": "GHSA-h2v7-xc88-xx8c", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:26:54Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h2v7-xc88-xx8c" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-phone-arm-and-phone-disarm-endpoints", "reference_id": "openclaw-authorization-bypass-in-phone-arm-and-phone-disarm-endpoints", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:26:54Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-phone-arm-and-phone-disarm-endpoints" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41375", "GHSA-h2v7-xc88-xx8c" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-msr2-gsjh-1bat" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65512?format=api", "vulnerability_id": "VCID-mzpq-bw9z-w7dm", "summary": "OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43570", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25574", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25788", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25772", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43570" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43570", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43570" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/94b0062e90467e1582b47cc971f308457c537f3a", "reference_id": "94b0062e90467e1582b47cc971f308457c537f3a", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:13:19Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/94b0062e90467e1582b47cc971f308457c537f3a" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/b1dd3ded3589f6fa60ab85b3930a82d538edaeae", "reference_id": "b1dd3ded3589f6fa60ab85b3930a82d538edaeae", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:13:19Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/b1dd3ded3589f6fa60ab85b3930a82d538edaeae" }, { "reference_url": "https://github.com/advisories/GHSA-35mw-5vvr-vrxc", "reference_id": "GHSA-35mw-5vvr-vrxc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-35mw-5vvr-vrxc" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cr8r-7g2h-6wr6", "reference_id": "GHSA-cr8r-7g2h-6wr6", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:13:19Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cr8r-7g2h-6wr6" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-remote-marketplace-repository-path-handling", "reference_id": "openclaw-symlink-traversal-in-remote-marketplace-repository-path-handling", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:13:19Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-remote-marketplace-repository-path-handling" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373918?format=api", "purl": "pkg:npm/openclaw@2026.4.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-bpy3-pdqr-uube" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.5" } ], "aliases": [ "CVE-2026-43570", "GHSA-35mw-5vvr-vrxc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mzpq-bw9z-w7dm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359244?format=api", "vulnerability_id": "VCID-n3c5-p4ah-e7e9", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41336", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03606", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03587", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03593", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03602", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41336" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3qpv-xf3v-mm45", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3qpv-xf3v-mm45" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41336", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41336" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-hook-code-execution-via-openclaw-bundled-hooks-dir-environment-variable-override", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-hook-code-execution-via-openclaw-bundled-hooks-dir-environment-variable-override" }, { "reference_url": "https://github.com/advisories/GHSA-3qpv-xf3v-mm45", "reference_id": "GHSA-3qpv-xf3v-mm45", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3qpv-xf3v-mm45" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41336", "GHSA-3qpv-xf3v-mm45" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n3c5-p4ah-e7e9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78214?format=api", "vulnerability_id": "VCID-na8n-2vex-zfdb", "summary": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33579", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06201", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06193", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0621", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06222", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33579" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/4ee4960de2330b5322127f925f3687dc6f105be1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/4ee4960de2330b5322127f925f3687dc6f105be1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33579", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33579" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd", "reference_id": "e403decb6e20091b5402780a7ccd2085f98aa3cd", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:39Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd" }, { "reference_url": "https://github.com/advisories/GHSA-hc5h-pmr3-3497", "reference_id": "GHSA-hc5h-pmr3-3497", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hc5h-pmr3-3497" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497", "reference_id": "GHSA-hc5h-pmr3-3497", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:39Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missing-caller-scope-validation-in-device-pair-approval", "reference_id": "openclaw-privilege-escalation-via-missing-caller-scope-validation-in-device-pair-approval", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:39Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missing-caller-scope-validation-in-device-pair-approval" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-33579", "GHSA-hc5h-pmr3-3497" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-na8n-2vex-zfdb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360096?format=api", "vulnerability_id": "VCID-nfvd-f7cc-tkhm", "summary": "Duplicate Advisory: OpenClaw affected by SSRF via unguarded image download in fal provider\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qxgf-hmcj-3xw3. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34504", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34504" }, { "reference_url": "https://github.com/advisories/GHSA-35cq-wv6v-88xf", "reference_id": "GHSA-35cq-wv6v-88xf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-35cq-wv6v-88xf" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3", "reference_id": "GHSA-qxgf-hmcj-3xw3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-35cq-wv6v-88xf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nfvd-f7cc-tkhm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70395?format=api", "vulnerability_id": "VCID-nkkj-ue4v-3ueh", "summary": "OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42421", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10444", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10415", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10467", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1047", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42421" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42421", "reference_id": "CVE-2026-42421", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42421" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:15:14Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-5h3f-885m-v22w", "reference_id": "GHSA-5h3f-885m-v22w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5h3f-885m-v22w" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w", "reference_id": "GHSA-5h3f-885m-v22w", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:15:14Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-websocket-session-persistence-via-shared-gateway-token-rotation", "reference_id": "openclaw-websocket-session-persistence-via-shared-gateway-token-rotation", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:15:14Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-websocket-session-persistence-via-shared-gateway-token-rotation" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42421", "GHSA-5h3f-885m-v22w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nkkj-ue4v-3ueh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71784?format=api", "vulnerability_id": "VCID-np53-nrkf-uyhe", "summary": "OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling attackers to manipulate displayed information through malicious tool titles.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35651", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10343", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10324", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10347", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10291", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35651" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35651", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35651" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/464e2c10a5edceb380d815adb6ff56e1a4c50f60", "reference_id": "464e2c10a5edceb380d815adb6ff56e1a4c50f60", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:29:21Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/464e2c10a5edceb380d815adb6ff56e1a4c50f60" }, { "reference_url": "https://github.com/advisories/GHSA-4hmj-39m8-jwc7", "reference_id": "GHSA-4hmj-39m8-jwc7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hmj-39m8-jwc7" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hmj-39m8-jwc7", "reference_id": "GHSA-4hmj-39m8-jwc7", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:29:21Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hmj-39m8-jwc7" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-ansi-escape-sequence-injection-in-approval-prompt", "reference_id": "openclaw-ansi-escape-sequence-injection-in-approval-prompt", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:29:21Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-ansi-escape-sequence-injection-in-approval-prompt" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-35651", "GHSA-4hmj-39m8-jwc7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-np53-nrkf-uyhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81029?format=api", "vulnerability_id": "VCID-pecx-xt79-1kht", "summary": "OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord.execApprovals.approvers allowlist and approve pending host execution requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41303", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23453", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23639", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23658", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23648", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41303" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/355abe5eba28012e6a95b9923a32831fcf870344", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/355abe5eba28012e6a95b9923a32831fcf870344" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41303", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41303" }, { "reference_url": "https://github.com/advisories/GHSA-98hh-7ghg-x6rq", "reference_id": "GHSA-98hh-7ghg-x6rq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-98hh-7ghg-x6rq" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-98hh-7ghg-x6rq", "reference_id": "GHSA-98hh-7ghg-x6rq", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:35:44Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-98hh-7ghg-x6rq" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-discord-text-approval-commands", "reference_id": "openclaw-authorization-bypass-in-discord-text-approval-commands", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:35:44Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-discord-text-approval-commands" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41303", "GHSA-98hh-7ghg-x6rq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pecx-xt79-1kht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71908?format=api", "vulnerability_id": "VCID-pjra-aaxs-ybek", "summary": "OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest() unconditionally allows local-direct requests without validating bearer tokens or canvas capabilities. Attackers can send unauthenticated loopback HTTP and WebSocket requests to Canvas routes to bypass authentication and gain unauthorized access.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35634", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10225", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.1026", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10278", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10274", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35634" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35634", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35634" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "reference_id": "630f1479c44f78484dfa21bb407cbe6f171dac87", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:30:11Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d5dc6b6573ae489bc7e5651090f4767b93537c9e", "reference_id": "d5dc6b6573ae489bc7e5651090f4767b93537c9e", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:30:11Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d5dc6b6573ae489bc7e5651090f4767b93537c9e" }, { "reference_url": "https://github.com/advisories/GHSA-6mqc-jqh6-x8fc", "reference_id": "GHSA-6mqc-jqh6-x8fc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6mqc-jqh6-x8fc" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6mqc-jqh6-x8fc", "reference_id": "GHSA-6mqc-jqh6-x8fc", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:30:11Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6mqc-jqh6-x8fc" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-local-direct-requests-in-canvas-gateway", "reference_id": "openclaw-authentication-bypass-via-local-direct-requests-in-canvas-gateway", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:30:11Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-local-direct-requests-in-canvas-gateway" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373851?format=api", "purl": "pkg:npm/openclaw@2026.3.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2d6p-8jxd-1yc4" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4n9g-ymdq-6fhd" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4srt-x1xb-xqa8" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-54js-czwp-jkce" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5k9d-n6kg-g3bn" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bj4f-1qy4-33g7" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c723-znew-ebhm" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-epaf-29e7-kue8" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-qx6n-dk9c-8yd3" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-ub5p-bp37-hff5" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-w49b-cbcg-abat" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-ye9d-bzdx-bbeq" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.23" } ], "aliases": [ "CVE-2026-35634", "GHSA-6mqc-jqh6-x8fc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pjra-aaxs-ybek" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359815?format=api", "vulnerability_id": "VCID-pu7g-crjz-27c6", "summary": "OpenClaw: pnpm dlx approvals did not bind local script operands\n## Summary\n\nBefore OpenClaw 2026.4.2, `pnpm dlx` approval planning did not bind local script operands the same way as related `pnpm exec` flows. A local script approved through a `pnpm dlx` path could be replaced before execution without invalidating the approval.\n\n## Impact\n\nAn operator could approve a benign local script and then execute modified script contents through the still-valid approval plan. This was an approval-integrity bug in the node-host command-planning path.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `176c059b05357df1bc09d4328a2380670859eeff` — bind local scripts in `pnpm dlx` approval plans\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @Kazamayc for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/176c059b05357df1bc09d4328a2380670859eeff", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/176c059b05357df1bc09d4328a2380670859eeff" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w6wx-jq6j-6mcj", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w6wx-jq6j-6mcj" }, { "reference_url": "https://github.com/advisories/GHSA-w6wx-jq6j-6mcj", "reference_id": "GHSA-w6wx-jq6j-6mcj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w6wx-jq6j-6mcj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "GHSA-w6wx-jq6j-6mcj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pu7g-crjz-27c6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359266?format=api", "vulnerability_id": "VCID-pyut-62r7-6fgp", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42420", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16196", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16338", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1635", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1632", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42420" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ccx3-fw7q-rr2r", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ccx3-fw7q-rr2r" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42420", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42420" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-improper-base64-decoding-size-validation", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vulncheck.com/advisories/openclaw-improper-base64-decoding-size-validation" }, { "reference_url": "https://github.com/advisories/GHSA-ccx3-fw7q-rr2r", "reference_id": "GHSA-ccx3-fw7q-rr2r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ccx3-fw7q-rr2r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42420", "GHSA-ccx3-fw7q-rr2r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pyut-62r7-6fgp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359922?format=api", "vulnerability_id": "VCID-q6h5-e93e-j3d7", "summary": "Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35646", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35646" }, { "reference_url": "https://github.com/advisories/GHSA-59xc-5v89-r7pr", "reference_id": "GHSA-59xc-5v89-r7pr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-59xc-5v89-r7pr" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm", "reference_id": "GHSA-mf5g-6r6f-ghhm", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-59xc-5v89-r7pr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q6h5-e93e-j3d7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359921?format=api", "vulnerability_id": "VCID-qcrw-m7k3-ubgm", "summary": "OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`\n## Summary\n\nThe `chat.send` path reused command authorization to trigger `/reset` session rotation even though direct session reset is an admin-only control-plane operation.\n\n## Impact\n\nA write-scoped gateway caller could rotate a target session, archive the prior transcript state, and force a new session id without admin scope.\n\n## Affected Component\n\n`src/gateway/server-methods/chat.ts, src/auto-reply/reply/session.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `be00fcfccb` (`Gateway: align chat.send reset scope checks`).", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/be00fcfccba108f88dc3d4380146c6e058770b03", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/be00fcfccba108f88dc3d4380146c6e058770b03" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28" }, { "reference_url": "https://github.com/advisories/GHSA-5r8f-96gm-5j6g", "reference_id": "GHSA-5r8f-96gm-5j6g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5r8f-96gm-5j6g" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g", "reference_id": "GHSA-5r8f-96gm-5j6g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-5r8f-96gm-5j6g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qcrw-m7k3-ubgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359263?format=api", "vulnerability_id": "VCID-qmnc-zfxh-87g4", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41912", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10114", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10161", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10166", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10151", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41912" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vr5g-mmx7-h897", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vr5g-mmx7-h897" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41912", "reference_id": "CVE-2026-41912", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41912" }, { "reference_url": "https://github.com/advisories/GHSA-vr5g-mmx7-h897", "reference_id": "GHSA-vr5g-mmx7-h897", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vr5g-mmx7-h897" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-41912", "GHSA-vr5g-mmx7-h897" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qmnc-zfxh-87g4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80789?format=api", "vulnerability_id": "VCID-qpq9-cabj-a7hj", "summary": "OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41908", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11227", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11185", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11219", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11162", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41908" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41908", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41908" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/99ef3a63c58440d53f8e45ad861b846032fcb036", "reference_id": "99ef3a63c58440d53f8e45ad861b846032fcb036", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T18:25:38Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/99ef3a63c58440d53f8e45ad861b846032fcb036" }, { "reference_url": "https://github.com/advisories/GHSA-v8qf-fr4g-28p2", "reference_id": "GHSA-v8qf-fr4g-28p2", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v8qf-fr4g-28p2" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8qf-fr4g-28p2", "reference_id": "GHSA-v8qf-fr4g-28p2", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T18:25:38Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8qf-fr4g-28p2" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-scope-enforcement-bypass-in-assistant-media-route", "reference_id": "openclaw-scope-enforcement-bypass-in-assistant-media-route", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T18:25:38Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-scope-enforcement-bypass-in-assistant-media-route" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373308?format=api", "purl": "pkg:npm/openclaw@2026.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20" } ], "aliases": [ "CVE-2026-41908", "GHSA-v8qf-fr4g-28p2" ], "risk_score": 1.9, "exploitability": "0.5", "weighted_severity": "3.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qpq9-cabj-a7hj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67930?format=api", "vulnerability_id": "VCID-qqsk-1mk9-pygw", "summary": "OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44113", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11644", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11609", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11638", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11567", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44113" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44113", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44113" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/95119017c847c737bd113f0bff728c4666d79c45", "reference_id": "95119017c847c737bd113f0bff728c4666d79c45", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:04:19Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/95119017c847c737bd113f0bff728c4666d79c45" }, { "reference_url": "https://github.com/advisories/GHSA-5h3g-6xhh-rg6p", "reference_id": "GHSA-5h3g-6xhh-rg6p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5h3g-6xhh-rg6p" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3g-6xhh-rg6p", "reference_id": "GHSA-5h3g-6xhh-rg6p", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:04:19Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3g-6xhh-rg6p" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-race-condition-in-openshell-fs-bridge", "reference_id": "openclaw-time-of-check-time-of-use-race-condition-in-openshell-fs-bridge", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:04:19Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-race-condition-in-openshell-fs-bridge" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375357?format=api", "purl": "pkg:npm/openclaw@2026.4.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22" } ], "aliases": [ "CVE-2026-44113", "GHSA-5h3g-6xhh-rg6p" ], "risk_score": 3.8, "exploitability": "0.5", "weighted_severity": "7.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qqsk-1mk9-pygw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80816?format=api", "vulnerability_id": "VCID-qqz4-uy33-qya2", "summary": "OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and upload_image endpoints to access files beyond the intended workspace-only filesystem policy.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41911", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19432", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19267", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19436", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19455", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41911" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41911", "reference_id": "CVE-2026-41911", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41911" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:39:00Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-5fc7-f62m-8983", "reference_id": "GHSA-5fc7-f62m-8983", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5fc7-f62m-8983" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5fc7-f62m-8983", "reference_id": "GHSA-5fc7-f62m-8983", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:39:00Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5fc7-f62m-8983" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-workspace-only-filesystem-policy-bypass-via-docx-upload-file-upload-image", "reference_id": "openclaw-workspace-only-filesystem-policy-bypass-via-docx-upload-file-upload-image", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:39:00Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-workspace-only-filesystem-policy-bypass-via-docx-upload-file-upload-image" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-41911", "GHSA-5fc7-f62m-8983" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qqz4-uy33-qya2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360014?format=api", "vulnerability_id": "VCID-qt48-xw6x-nudj", "summary": "Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34503", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34503" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv", "reference_id": "GHSA-2pr2-hcv6-7gwv", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv" }, { "reference_url": "https://github.com/advisories/GHSA-89hr-6x2p-8xjv", "reference_id": "GHSA-89hr-6x2p-8xjv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-89hr-6x2p-8xjv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-89hr-6x2p-8xjv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qt48-xw6x-nudj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359756?format=api", "vulnerability_id": "VCID-qt8t-f9xc-qbgp", "summary": "Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qx8j-g322-qj6m. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40037", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40037" }, { "reference_url": "https://github.com/advisories/GHSA-pg8g-f2hf-x82m", "reference_id": "GHSA-pg8g-f2hf-x82m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pg8g-f2hf-x82m" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m", "reference_id": "GHSA-qx8j-g322-qj6m", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "GHSA-pg8g-f2hf-x82m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qt8t-f9xc-qbgp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70177?format=api", "vulnerability_id": "VCID-qujt-gddx-ckbm", "summary": "OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42422", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16007", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16125", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16159", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16149", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42422" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42422", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42422" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:03:32Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-whf9-3hcx-gq54", "reference_id": "GHSA-whf9-3hcx-gq54", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-whf9-3hcx-gq54" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54", "reference_id": "GHSA-whf9-3hcx-gq54", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:03:32Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-role-bypass-in-device-token-rotate-function", "reference_id": "openclaw-role-bypass-in-device-token-rotate-function", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:03:32Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-role-bypass-in-device-token-rotate-function" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42422", "GHSA-whf9-3hcx-gq54" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qujt-gddx-ckbm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360197?format=api", "vulnerability_id": "VCID-qx6n-dk9c-8yd3", "summary": "OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement\n> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n**Title** \nMutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement\n\n**CWE** \nCWE-862 Missing Authorization\n\n**CVSS v3.1** \nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N \nBase score: **6.5 (Medium)**\n\n**Severity Assessment** \nMedium. This is a real authorization flaw in OpenClaw’s internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with `operator.write`.\n\n**Impact** \nAn authenticated internal Gateway caller limited to `operator.write` can perform state-changing `/allowlist` actions without `operator.admin`, even though comparable mutating internal chat commands already require `operator.admin`. The reachable effects are persistent changes to config-backed `allowFrom` entries and pairing-store-backed allowlist entries.\n\nThis is not a semantic-modeling complaint and not a generic “trusted operator can do things” claim. It is a missing authorization check inside OpenClaw’s own internal scope model, where peer mutating command surfaces already distinguish `operator.write` from `operator.admin`.\n\n**Affected Component** \nVerified against the latest published GitHub release tag `v2026.3.23` (`ccfeecb6887cd97937e33a71877ad512741e82b2`), published `2026-03-23T23:15:50Z`.\n\nExact vulnerable path on the shipped tag:\n- `src/auto-reply/reply/commands-allowlist.ts:251-254`\n - `/allowlist` authorization uses only `rejectUnauthorizedCommand(...)`.\n- `src/auto-reply/reply/commands-allowlist.ts:386-524`\n - mutating config and pairing-store writes happen here, but there is no `requireGatewayClientScopeForInternalChannel(..., operator.admin, ...)`.\n\nReachability and scope model:\n- `src/gateway/method-scopes.ts:94-109`\n - `chat.send` is a write-scoped method.\n- `src/gateway/server.chat.gateway-server-chat.test.ts:539-559`\n - existing runtime coverage proves `chat.send` routes slash commands without an agent run.\n- `src/auto-reply/command-auth.ts:574-577`\n - internal callers become `senderIsOwner` only when `GatewayClientScopes` includes `operator.admin`.\n\nComparable internal mutating command paths already enforce `operator.admin`:\n- `src/auto-reply/reply/commands-config.ts:64-73`\n- `src/auto-reply/reply/commands-mcp.ts:89-96`\n- `src/auto-reply/reply/commands-plugins.ts:387-394`\n- `src/auto-reply/reply/commands-acp.ts:98-106`\n\nVersion history:\n- Introduced by commit `555b2578a8cc6e1b93f717496935ead97bfbed8b` (`feat: add /allowlist command`)\n- Earliest released affected tag found: `v2026.1.20`\n- Latest released affected tag verified: `v2026.3.23`\n\n**Technical Reproduction** \n1. Check out the shipped release tag `v2026.3.23`.\n2. Use an internal command context with:\n - `Provider = \"webchat\"`\n - `Surface = \"webchat\"`\n - `GatewayClientScopes = [\"operator.write\"]`\n - `params.command.channel = \"webchat\"`\n3. Route a slash command through `chat.send`.\n4. Execute either of these mutating commands:\n - `/allowlist add dm channel=telegram 789`\n - `/allowlist add dm --store channel=telegram 789`\n5. Confirm the command context is authorized but not owner-equivalent:\n - `isAuthorizedSender === true`\n - `senderIsOwner === false`\n6. Observe that the commands still succeed and perform persistent writes.\n\n**Demonstrated Impact** \nThe vulnerable handler performs real state mutation for a low-scope internal caller:\n- Config-backed mutation path:\n - `src/auto-reply/reply/commands-allowlist.ts:398-503`\n - reads the config snapshot, applies the edit, validates, and writes the updated config to disk.\n- Store-backed mutation path:\n - `src/auto-reply/reply/commands-allowlist.ts:479-485`\n - `src/auto-reply/reply/commands-allowlist.ts:513-518`\n - updates the pairing-store allowlist without any admin-scope gate.\n\nThe result is successful persistence, not just a misleading success message.\n\n**Environment** \n- Product: OpenClaw\n- Verified shipped tag: `v2026.3.23`\n- Shipped tag commit: `ccfeecb6887cd97937e33a71877ad512741e82b2`\n- Published GitHub release time: `2026-03-23T23:15:50Z`\n- Verification date: `2026-03-24`\n\n**Duplicate Check** \nThis is not a duplicate of:\n- `GHSA-pjvx-rx66-r3fg`\n - that advisory covered cross-account scoping in `/allowlist ... --store`, not missing internal `operator.admin` enforcement.\n- `GHSA-hfpr-jhpq-x4rm`\n - that advisory covered `/config` writes through `chat.send`, not `/allowlist`.\n- `GHSA-3w6x-gv34-mqpf`\n - same authorization class, but different command path (`/acp`, not `/allowlist`).\n\n**In Scope Check** \nThis report is in scope under `SECURITY.md` because:\n- it does **not** rely on adversarial operators sharing one gateway host or config;\n- it does **not** target the HTTP compatibility endpoints that `SECURITY.md` explicitly treats as full operator-access surfaces;\n- it demonstrates a real authorization mismatch inside OpenClaw’s own internal control-plane scope model (`operator.write` vs `operator.admin`);\n- peer mutating internal chat commands already enforce `operator.admin`, so this is not a request for a new boundary but a missing check on an existing one.\n\nThis is therefore a concrete authorization bug, not a trusted-operator hardening suggestion.\n\n**Remediation Advice** \n1. Add `requireGatewayClientScopeForInternalChannel(..., allowedScopes: [\"operator.admin\"], ...)` to the mutating internal `/allowlist` paths.\n2. Add regression coverage for both mutation modes:\n - internal `operator.write` must be rejected;\n - internal `operator.admin` must be allowed.\n3. Cover both config-backed and store-backed writes.\n4. Audit other mutating internal chat-command paths for the same missing-scope pattern.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-vqvg-86cc-cg83", "reference_id": "GHSA-vqvg-86cc-cg83", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vqvg-86cc-cg83" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83", "reference_id": "GHSA-vqvg-86cc-cg83", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "GHSA-vqvg-86cc-cg83" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qx6n-dk9c-8yd3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67822?format=api", "vulnerability_id": "VCID-r75w-jwbm-dyew", "summary": "OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering untrusted events as trusted System events.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44999", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04755", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05529", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05537", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05543", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44999" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44999", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44999" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/f61896b03cc7031f51106a04566831f4ac2a0bd7", "reference_id": "f61896b03cc7031f51106a04566831f4ac2a0bd7", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:52:52Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/f61896b03cc7031f51106a04566831f4ac2a0bd7" }, { "reference_url": "https://github.com/advisories/GHSA-57r2-h2wj-g887", "reference_id": "GHSA-57r2-h2wj-g887", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-57r2-h2wj-g887" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-57r2-h2wj-g887", "reference_id": "GHSA-57r2-h2wj-g887", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:52:52Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-57r2-h2wj-g887" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-improper-trust-labeling-in-isolated-cron-awareness-events", "reference_id": "openclaw-improper-trust-labeling-in-isolated-cron-awareness-events", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:52:52Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-improper-trust-labeling-in-isolated-cron-awareness-events" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373308?format=api", "purl": "pkg:npm/openclaw@2026.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20" } ], "aliases": [ "CVE-2026-44999", "GHSA-57r2-h2wj-g887" ], "risk_score": 2.9, "exploitability": "0.5", "weighted_severity": "5.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r75w-jwbm-dyew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359255?format=api", "vulnerability_id": "VCID-rffw-fgxm-1ue9", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41398", "reference_id": "", "reference_type": "", "scores": [ { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00686", "published_at": "2026-06-11T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00684", "published_at": "2026-06-12T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00685", "published_at": "2026-06-13T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.0069", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41398" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/49d08382a90f71dabe2877b3f6729ad85f808d57", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/49d08382a90f71dabe2877b3f6729ad85f808d57" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4p4f-fc8q-84m3", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4p4f-fc8q-84m3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41398", "reference_id": "CVE-2026-41398", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41398" }, { "reference_url": "https://github.com/advisories/GHSA-4p4f-fc8q-84m3", "reference_id": "GHSA-4p4f-fc8q-84m3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4p4f-fc8q-84m3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-41398", "GHSA-4p4f-fc8q-84m3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rffw-fgxm-1ue9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70144?format=api", "vulnerability_id": "VCID-rm55-3hs1-23b4", "summary": "OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42432", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08083", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08113", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08118", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42432" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42432", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42432" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:17:47Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-5wj5-87vq-39xm", "reference_id": "GHSA-5wj5-87vq-39xm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5wj5-87vq-39xm" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5wj5-87vq-39xm", "reference_id": "GHSA-5wj5-87vq-39xm", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:17:47Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5wj5-87vq-39xm" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-command-escalation-via-node-pairing-reconnect-bypass", "reference_id": "openclaw-command-escalation-via-node-pairing-reconnect-bypass", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:17:47Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-command-escalation-via-node-pairing-reconnect-bypass" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42432", "GHSA-5wj5-87vq-39xm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rm55-3hs1-23b4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65517?format=api", "vulnerability_id": "VCID-rr2j-c7md-57gj", "summary": "OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43535", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.0906", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.0905", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09062", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09011", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43535" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/66024", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/66024" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43535", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43535" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/43d4be902755c970b3d15608679761877718da69", "reference_id": "43d4be902755c970b3d15608679761877718da69", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T12:07:14Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/43d4be902755c970b3d15608679761877718da69" }, { "reference_url": "https://github.com/advisories/GHSA-jwrq-8g5x-5fhm", "reference_id": "GHSA-jwrq-8g5x-5fhm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jwrq-8g5x-5fhm" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwrq-8g5x-5fhm", "reference_id": "GHSA-jwrq-8g5x-5fhm", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T12:07:14Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwrq-8g5x-5fhm" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authorization-context-reuse-in-collect-mode-queue-batches", "reference_id": "openclaw-authorization-context-reuse-in-collect-mode-queue-batches", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T12:07:14Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authorization-context-reuse-in-collect-mode-queue-batches" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373341?format=api", "purl": "pkg:npm/openclaw@2026.4.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14" } ], "aliases": [ "CVE-2026-43535", "GHSA-jwrq-8g5x-5fhm" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rr2j-c7md-57gj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71734?format=api", "vulnerability_id": "VCID-s45u-hr8t-gffq", "summary": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35617", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.2048", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20478", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20501", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20304", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35617" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35617", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35617" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/11ea1f67863d88b6cbcb229dd368a45e07094bff", "reference_id": "11ea1f67863d88b6cbcb229dd368a45e07094bff", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:41:28Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/11ea1f67863d88b6cbcb229dd368a45e07094bff" }, { "reference_url": "https://github.com/advisories/GHSA-52q4-3xjc-6778", "reference_id": "GHSA-52q4-3xjc-6778", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-52q4-3xjc-6778" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778", "reference_id": "GHSA-52q4-3xjc-6778", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:41:28Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname", "reference_id": "openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:41:28Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-35617", "GHSA-52q4-3xjc-6778" ], "risk_score": 1.9, "exploitability": "0.5", "weighted_severity": "3.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s45u-hr8t-gffq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71558?format=api", "vulnerability_id": "VCID-sb3c-wxqd-akg3", "summary": "OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35660", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16638", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16507", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16653", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16665", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35660" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0", "reference_id": "50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:41:04Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87", "reference_id": "630f1479c44f78484dfa21bb407cbe6f171dac87", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:41:04Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35660", "reference_id": "CVE-2026-35660", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35660" }, { "reference_url": "https://github.com/advisories/GHSA-wq58-2pvg-5h4f", "reference_id": "GHSA-wq58-2pvg-5h4f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wq58-2pvg-5h4f" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f", "reference_id": "GHSA-wq58-2pvg-5h4f", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:41:04Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-gateway-agent-session-reset", "reference_id": "openclaw-insufficient-access-control-in-gateway-agent-session-reset", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:41:04Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-gateway-agent-session-reset" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373851?format=api", "purl": "pkg:npm/openclaw@2026.3.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2d6p-8jxd-1yc4" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4n9g-ymdq-6fhd" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4srt-x1xb-xqa8" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-54js-czwp-jkce" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5k9d-n6kg-g3bn" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bj4f-1qy4-33g7" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c723-znew-ebhm" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-epaf-29e7-kue8" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-qx6n-dk9c-8yd3" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-ub5p-bp37-hff5" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-w49b-cbcg-abat" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-ye9d-bzdx-bbeq" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.23" } ], "aliases": [ "CVE-2026-35660", "GHSA-wq58-2pvg-5h4f" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sb3c-wxqd-akg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360458?format=api", "vulnerability_id": "VCID-sbxm-vwhw-9fhd", "summary": "OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs\n## Summary\nExec allowlist analysis rejects shell expansion in unquoted heredocs\n\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: <= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nAn allowlisted command containing an unquoted heredoc could hide shell expansion in the heredoc body. That could make the approved command text look safer than what the shell would evaluate at runtime.\n\n## Fix\nThe exec command analyzer now tracks heredoc bodies, rejects unquoted heredoc expansion tokens and continuation-splice bypasses, and preserves quoted heredocs and literal safe text.\n\n## Fix Commit(s)\n- b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nThanks @VladimirEliTokarev for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-x3h8-jrgh-p8jx", "reference_id": "GHSA-x3h8-jrgh-p8jx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x3h8-jrgh-p8jx" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x3h8-jrgh-p8jx", "reference_id": "GHSA-x3h8-jrgh-p8jx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x3h8-jrgh-p8jx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375357?format=api", "purl": "pkg:npm/openclaw@2026.4.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22" } ], "aliases": [ "GHSA-x3h8-jrgh-p8jx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sbxm-vwhw-9fhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81036?format=api", "vulnerability_id": "VCID-sqr6-smfg-uqdy", "summary": "OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by sending requests to this endpoint, bypassing authorization controls.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41298", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10415", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1047", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10444", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10467", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41298" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41298", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41298" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/54a0878517167c6e49900498cf77420dadb74beb", "reference_id": "54a0878517167c6e49900498cf77420dadb74beb", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T17:34:13Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/54a0878517167c6e49900498cf77420dadb74beb" }, { "reference_url": "https://github.com/advisories/GHSA-5hff-46vh-rxmw", "reference_id": "GHSA-5hff-46vh-rxmw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5hff-46vh-rxmw" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5hff-46vh-rxmw", "reference_id": "GHSA-5hff-46vh-rxmw", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T17:34:13Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5hff-46vh-rxmw" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-session-termination-endpoint", "reference_id": "openclaw-authorization-bypass-in-session-termination-endpoint", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T17:34:13Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-session-termination-endpoint" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-41298", "GHSA-5hff-46vh-rxmw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sqr6-smfg-uqdy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81126?format=api", "vulnerability_id": "VCID-sqxg-9akn-j7az", "summary": "OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handling for shared secrets.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41407", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12968", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12957", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12978", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12872", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41407" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41407", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41407" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/be10ecef770a4654519869c3641bbb91087c8c7b", "reference_id": "be10ecef770a4654519869c3641bbb91087c8c7b", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:53:09Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/be10ecef770a4654519869c3641bbb91087c8c7b" }, { "reference_url": "https://github.com/advisories/GHSA-jj6q-rrrf-h66h", "reference_id": "GHSA-jj6q-rrrf-h66h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jj6q-rrrf-h66h" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jj6q-rrrf-h66h", "reference_id": "GHSA-jj6q-rrrf-h66h", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:53:09Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jj6q-rrrf-h66h" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-timing-side-channel-in-shared-secret-comparison", "reference_id": "openclaw-timing-side-channel-in-shared-secret-comparison", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:53:09Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-timing-side-channel-in-shared-secret-comparison" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-41407", "GHSA-jj6q-rrrf-h66h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sqxg-9akn-j7az" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71696?format=api", "vulnerability_id": "VCID-svyq-6gm7-efez", "summary": "OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35646", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23592", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23408", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23615", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23603", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35646" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35646", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35646" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c", "reference_id": "0b4d07337467f4d40a0cc1ced83d45ceaec0863c", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T13:57:23Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c" }, { "reference_url": "https://github.com/advisories/GHSA-mf5g-6r6f-ghhm", "reference_id": "GHSA-mf5g-6r6f-ghhm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mf5g-6r6f-ghhm" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm", "reference_id": "GHSA-mf5g-6r6f-ghhm", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T13:57:23Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation", "reference_id": "openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T13:57:23Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-35646", "GHSA-mf5g-6r6f-ghhm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-svyq-6gm7-efez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80833?format=api", "vulnerability_id": "VCID-t14t-27xx-83g3", "summary": "OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41358", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04394", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04382", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04384", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04399", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41358" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41358", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41358" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/ac5bc4fb37becc64a2ec314864cca1565e921f2d", "reference_id": "ac5bc4fb37becc64a2ec314864cca1565e921f2d", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:34:23Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/ac5bc4fb37becc64a2ec314864cca1565e921f2d" }, { "reference_url": "https://github.com/advisories/GHSA-qm77-8qjp-4vcm", "reference_id": "GHSA-qm77-8qjp-4vcm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qm77-8qjp-4vcm" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qm77-8qjp-4vcm", "reference_id": "GHSA-qm77-8qjp-4vcm", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:34:23Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qm77-8qjp-4vcm" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-slack-thread-context", "reference_id": "openclaw-sender-allowlist-bypass-via-slack-thread-context", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:34:23Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-slack-thread-context" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-41358", "GHSA-qm77-8qjp-4vcm" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "4.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t14t-27xx-83g3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80650?format=api", "vulnerability_id": "VCID-t2b3-n8xb-k3fn", "summary": "OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41372", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13366", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13348", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13373", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.1326", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41372" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41372", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41372" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828", "reference_id": "9c22d636697336a6b22b0ae24798d8b8325d7828", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-28T14:41:19Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828" }, { "reference_url": "https://github.com/advisories/GHSA-fh32-73r9-rgh5", "reference_id": "GHSA-fh32-73r9-rgh5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fh32-73r9-rgh5" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5", "reference_id": "GHSA-fh32-73r9-rgh5", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-28T14:41:19Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery", "reference_id": "openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-28T14:41:19Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-41372", "GHSA-fh32-73r9-rgh5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t2b3-n8xb-k3fn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359759?format=api", "vulnerability_id": "VCID-t7nn-6cy7-2yak", "summary": "OpenClaw: Webchat audio embedding could read local files without local-root containment\n## Impact\n\nOpenClaw deployments before `2026.4.15` could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths.\n\nIf an attacker could influence an agent or tool-produced `ReplyPayload.mediaUrl`, the webchat audio embedding helper could resolve an absolute local path or `file:` URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check.\n\nThe impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` on npm\n- Affected versions: `<= 2026.4.14`\n- Patched version: `2026.4.15`\n\nThe latest public release, `2026.4.21`, also contains the fix.\n\n## Patches\n\nThe public fix threads the applicable local media roots into the webchat audio embedding path and calls `assertLocalMediaAllowed` before local audio content is read. Current `main` also includes an additional `trustedLocalMedia` gate so untrusted model/tool payloads cannot opt into local audio embedding.\n\nFix commit:\n\n- `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde`\n\n## Workarounds\n\nUpgrade to `openclaw@2026.4.15` or later. The latest public release, `2026.4.21`, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs.\n\n## Credits\n\nOpenClaw thanks @zsxsoft for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-gfg9-5357-hv4c", "reference_id": "GHSA-gfg9-5357-hv4c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gfg9-5357-hv4c" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfg9-5357-hv4c", "reference_id": "GHSA-gfg9-5357-hv4c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfg9-5357-hv4c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373280?format=api", "purl": "pkg:npm/openclaw@2026.4.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15" } ], "aliases": [ "GHSA-gfg9-5357-hv4c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t7nn-6cy7-2yak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359830?format=api", "vulnerability_id": "VCID-tegh-qc36-ufha", "summary": "OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nBundled MCP and LSP tools could be appended to the agent's effective tool set after the normal tool-policy pipeline had already filtered core tools. If an operator configured a restrictive policy, such as a tool profile, explicit allow/deny list, owner-only tool restriction, sandbox tool policy, or subagent tool policy, a bundled MCP/LSP tool could remain available even though the same policy would have denied it.\n\nThe issue required a configured bundled MCP or LSP tool source and an operator policy that should have restricted that tool. This was a local agent policy-enforcement bypass, not an unauthenticated remote gateway compromise. Severity is medium.\n\n## Fix\n\nOpenClaw now applies a final effective tool policy pass to bundled MCP/LSP tools before merging them into the tool set used by normal runs and compaction. The pass covers profile policy, provider profile policy, global/agent/group policies, owner-only filtering, sandbox tool policy, and subagent tool policy.\n\nFix commit:\n\n- `0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-qrp5-gfw2-gxv4", "reference_id": "GHSA-qrp5-gfw2-gxv4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qrp5-gfw2-gxv4" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qrp5-gfw2-gxv4", "reference_id": "GHSA-qrp5-gfw2-gxv4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qrp5-gfw2-gxv4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373308?format=api", "purl": "pkg:npm/openclaw@2026.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20" } ], "aliases": [ "GHSA-qrp5-gfw2-gxv4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tegh-qc36-ufha" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360021?format=api", "vulnerability_id": "VCID-tg1c-vs9g-8ya8", "summary": "OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement\n## Summary\n\nDiscord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages.\n\n## Impact\n\nUsers could trigger privileged component actions from contexts that should have been blocked by Discord channel policy.\n\n## Affected Component\n\n`extensions/discord/src/monitor/agent-components.ts`\n\n## Fixed Versions\n\n- Affected: `>= 2026.2.14, <= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `511093d4b3` (`Discord: apply component interaction policy gates`).", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/511093d4b37c0831c778fabd25ec3020834983c3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/511093d4b37c0831c778fabd25ec3020834983c3" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28" }, { "reference_url": "https://github.com/advisories/GHSA-jp4j-q5fc-58gv", "reference_id": "GHSA-jp4j-q5fc-58gv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jp4j-q5fc-58gv" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jp4j-q5fc-58gv", "reference_id": "GHSA-jp4j-q5fc-58gv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jp4j-q5fc-58gv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-jp4j-q5fc-58gv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tg1c-vs9g-8ya8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359813?format=api", "vulnerability_id": "VCID-tgnw-vne2-2kc1", "summary": "OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads\n## Summary\n\nBrowser interaction routes could pivot into local CDP and regain file reads.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.9`\n- Patched versions: `>= 2026.4.9`\n\n## Impact\n\nBrowser act/evaluate interactions could trigger navigation into the local CDP origin and then create or read disallowed `file://` pages despite direct navigation guards.\n\n## Technical Details\n\nThe fix re-checks browser URLs after interaction-driven navigations and blocks targets that violate the configured navigation policy.\n\n## Fix\n\nThe issue was fixed in #63226. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `5f5b3d733bdd791cb457f838514179e1288b10b3`\n- PR: #63226\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @tdjackey for reporting this issue.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/63226", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/63226" }, { "reference_url": "https://github.com/advisories/GHSA-qmwg-qprg-3j38", "reference_id": "GHSA-qmwg-qprg-3j38", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qmwg-qprg-3j38" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qmwg-qprg-3j38", "reference_id": "GHSA-qmwg-qprg-3j38", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qmwg-qprg-3j38" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373416?format=api", "purl": "pkg:npm/openclaw@2026.4.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-bdss-ct5q-cyak" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vbfg-fz5c-9yde" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.9" } ], "aliases": [ "GHSA-qmwg-qprg-3j38" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tgnw-vne2-2kc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359852?format=api", "vulnerability_id": "VCID-tm7a-1rzn-5yak", "summary": "OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade\n## Impact\n\nLower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade.\n\nLower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.2`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @tdjackey for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x" }, { "reference_url": "https://github.com/advisories/GHSA-gfmx-pph7-g46x", "reference_id": "GHSA-gfmx-pph7-g46x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gfmx-pph7-g46x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "GHSA-gfmx-pph7-g46x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tm7a-1rzn-5yak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80975?format=api", "vulnerability_id": "VCID-tm94-jwz9-kkd6", "summary": "OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature verification.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41351", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.1326", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13348", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13373", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13366", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41351" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41351", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41351" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/ad77666054651c1fd77b1dc60fd6a8db6600a29a", "reference_id": "ad77666054651c1fd77b1dc60fd6a8db6600a29a", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:33:40Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/ad77666054651c1fd77b1dc60fd6a8db6600a29a" }, { "reference_url": "https://github.com/advisories/GHSA-37v6-fxx8-xjmx", "reference_id": "GHSA-37v6-fxx8-xjmx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-37v6-fxx8-xjmx" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-37v6-fxx8-xjmx", "reference_id": "GHSA-37v6-fxx8-xjmx", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:33:40Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-37v6-fxx8-xjmx" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-webhook-replay-detection-bypass-via-base64-signature-re-encoding", "reference_id": "openclaw-webhook-replay-detection-bypass-via-base64-signature-re-encoding", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:33:40Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-webhook-replay-detection-bypass-via-base64-signature-re-encoding" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41351", "GHSA-37v6-fxx8-xjmx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tm94-jwz9-kkd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77183?format=api", "vulnerability_id": "VCID-ts15-y9qj-13e9", "summary": "OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32846", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.082", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08228", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08229", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08236", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32846" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32846", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32846" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37", "reference_id": "4797bbc5b96e2cca5532e43b58915c051746fe37", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:43:02Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/54642", "reference_id": "54642", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:43:02Z/" } ], "url": "https://github.com/openclaw/openclaw/pull/54642" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r", "reference_id": "GHSA-f6pf-4gjx-c94r", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:43:02Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r" }, { "reference_url": "https://github.com/advisories/GHSA-hggm-x7r9-mm7v", "reference_id": "GHSA-hggm-x7r9-mm7v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hggm-x7r9-mm7v" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-media-parsing-path-traversal-to-arbitrary-file-read", "reference_id": "openclaw-media-parsing-path-traversal-to-arbitrary-file-read", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:43:02Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-media-parsing-path-traversal-to-arbitrary-file-read" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-32846", "GHSA-hggm-x7r9-mm7v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ts15-y9qj-13e9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359245?format=api", "vulnerability_id": "VCID-ttg2-j7x3-m7de", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41342", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02886", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02896", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02879", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0289", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41342" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d6affb17d85f5f5ab08ef9f2b994b257af12e75a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/d6affb17d85f5f5ab08ef9f2b994b257af12e75a" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41342", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41342" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-unauthenticated-discovery-endpoint-credential-exfiltration-via-remote-onboarding", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vulncheck.com/advisories/openclaw-unauthenticated-discovery-endpoint-credential-exfiltration-via-remote-onboarding" }, { "reference_url": "https://github.com/advisories/GHSA-3cw3-5vxw-g2h3", "reference_id": "GHSA-3cw3-5vxw-g2h3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3cw3-5vxw-g2h3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41342", "GHSA-3cw3-5vxw-g2h3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ttg2-j7x3-m7de" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81008?format=api", "vulnerability_id": "VCID-tyz3-w2hm-gqg7", "summary": "OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint access can exfiltrate operator credentials through DNS steering manipulation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41393", "reference_id": "", "reference_type": "", "scores": [ { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00692", "published_at": "2026-06-14T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00686", "published_at": "2026-06-13T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00687", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41393" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/a23c33a681f8c1b22dc793995acc4c5c4b568346", "reference_id": "a23c33a681f8c1b22dc793995acc4c5c4b568346", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:50:17Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/a23c33a681f8c1b22dc793995acc4c5c4b568346" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41393", "reference_id": "CVE-2026-41393", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41393" }, { "reference_url": "https://github.com/advisories/GHSA-q9w8-cf67-r238", "reference_id": "GHSA-q9w8-cf67-r238", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q9w8-cf67-r238" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q9w8-cf67-r238", "reference_id": "GHSA-q9w8-cf67-r238", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:50:17Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q9w8-cf67-r238" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-dns-authority-acceptance-and-credential-exfiltration-via-wide-area-discovery", "reference_id": "openclaw-arbitrary-dns-authority-acceptance-and-credential-exfiltration-via-wide-area-discovery", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:50:17Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-dns-authority-acceptance-and-credential-exfiltration-via-wide-area-discovery" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41393", "GHSA-q9w8-cf67-r238" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tyz3-w2hm-gqg7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71693?format=api", "vulnerability_id": "VCID-ub5p-bp37-hff5", "summary": "OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal command-authorized context and persist channel allowFrom and groupAllowFrom policy changes reserved for operator.admin scope.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35621", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11629", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.1168", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11703", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11709", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35621" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35621", "reference_id": "CVE-2026-35621", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35621" }, { "reference_url": "https://github.com/advisories/GHSA-94pw-c6m8-p9p9", "reference_id": "GHSA-94pw-c6m8-p9p9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-94pw-c6m8-p9p9" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-94pw-c6m8-p9p9", "reference_id": "GHSA-94pw-c6m8-p9p9", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:21:07Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-94pw-c6m8-p9p9" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-to-allowlist-persistence", "reference_id": "openclaw-privilege-escalation-via-chat-send-to-allowlist-persistence", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:21:07Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-to-allowlist-persistence" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "CVE-2026-35621", "GHSA-94pw-c6m8-p9p9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ub5p-bp37-hff5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359812?format=api", "vulnerability_id": "VCID-uxkz-gf1t-kua1", "summary": "Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rhfg-j8jq-7v2h. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35629", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35629" }, { "reference_url": "https://github.com/advisories/GHSA-8j7f-g9gv-7jhc", "reference_id": "GHSA-8j7f-g9gv-7jhc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8j7f-g9gv-7jhc" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h", "reference_id": "GHSA-rhfg-j8jq-7v2h", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-8j7f-g9gv-7jhc" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uxkz-gf1t-kua1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359868?format=api", "vulnerability_id": "VCID-v3g3-zvr2-3khy", "summary": "OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets\n## Summary\n\nBefore OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if `event_name` and `message_id` matched.\n\n## Impact\n\nAn attacker who controlled one authenticated Zalo webhook path in a multi-account gateway deployment could cause silent message suppression on a different Zalo account sharing that gateway. This was an availability issue; it did not provide cross-account authentication or data access.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `>= 2026.2.19, < 2026.3.31`\n- Patched versions: `>= 2026.3.31`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` — scope webhook replay dedupe per target\n- `7cea7c29705b188b464cc9cdc107c275b94b2a72` — follow-up hardening to scope replay dedupe by path and account\n\n## Release Process Note\n\nThe initial fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains follow-up hardening for the same surface.\n\nThanks @nexrin for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-fqrj-m88p-qf3v", "reference_id": "GHSA-fqrj-m88p-qf3v", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fqrj-m88p-qf3v" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v", "reference_id": "GHSA-fqrj-m88p-qf3v", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "GHSA-fqrj-m88p-qf3v" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v3g3-zvr2-3khy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65465?format=api", "vulnerability_id": "VCID-v3u2-k16m-9kdp", "summary": "OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43528", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26196", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26395", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.2641", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26398", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43528" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/66030", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/66030" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/86734ef93a2f25063371b04f1946eb300548acd4", "reference_id": "86734ef93a2f25063371b04f1946eb300548acd4", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:57Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/86734ef93a2f25063371b04f1946eb300548acd4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43528", "reference_id": "CVE-2026-43528", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43528" }, { "reference_url": "https://github.com/advisories/GHSA-8372-7vhw-cm6q", "reference_id": "GHSA-8372-7vhw-cm6q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8372-7vhw-cm6q" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8372-7vhw-cm6q", "reference_id": "GHSA-8372-7vhw-cm6q", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:57Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8372-7vhw-cm6q" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-redaction-bypass-via-sourceconfig-and-runtimeconfig-aliases", "reference_id": "openclaw-redaction-bypass-via-sourceconfig-and-runtimeconfig-aliases", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:57Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-redaction-bypass-via-sourceconfig-and-runtimeconfig-aliases" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373341?format=api", "purl": "pkg:npm/openclaw@2026.4.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14" } ], "aliases": [ "CVE-2026-43528", "GHSA-8372-7vhw-cm6q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v3u2-k16m-9kdp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359841?format=api", "vulnerability_id": "VCID-v6e8-g5w8-k3ax", "summary": "OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nBrowser profile creation normalized `cdpUrl` values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a private-network or metadata endpoint and later be probed by normal profile status flows.\n\nDefault trusted-operator browser behavior allows private-network CDP endpoints, so this only affected strict-mode deployments. Severity is low.\n\n## Fix\n\nOpenClaw now checks CDP endpoints against the browser SSRF policy during profile creation and reachability operations.\n\nFix commits:\n\n- `1fd049e3074cac72f6734a7fe88468c84f5f8bd7`\n- `e90c89cf8b1459f2aa1f3a665be67392b6c03fdf`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-j4c5-89f5-f3pm", "reference_id": "GHSA-j4c5-89f5-f3pm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j4c5-89f5-f3pm" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c5-89f5-f3pm", "reference_id": "GHSA-j4c5-89f5-f3pm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c5-89f5-f3pm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373308?format=api", "purl": "pkg:npm/openclaw@2026.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20" } ], "aliases": [ "GHSA-j4c5-89f5-f3pm" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v6e8-g5w8-k3ax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71637?format=api", "vulnerability_id": "VCID-vh9v-4d1k-5ygk", "summary": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform unauthorized administrative actions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35669", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16007", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16125", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16159", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16149", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35669" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35669", "reference_id": "CVE-2026-35669", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35669" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/ec2dbcff9afd8a52e00de054b506c91726d9fbbe", "reference_id": "ec2dbcff9afd8a52e00de054b506c91726d9fbbe", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:16Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/ec2dbcff9afd8a52e00de054b506c91726d9fbbe" }, { "reference_url": "https://github.com/advisories/GHSA-qm2m-28pf-hgjw", "reference_id": "GHSA-qm2m-28pf-hgjw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qm2m-28pf-hgjw" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qm2m-28pf-hgjw", "reference_id": "GHSA-qm2m-28pf-hgjw", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:16Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qm2m-28pf-hgjw" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication-scope", "reference_id": "openclaw-privilege-escalation-via-gateway-plugin-http-authentication-scope", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:16Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication-scope" } ], "fixed_packages": [], "aliases": [ "CVE-2026-35669", "GHSA-qm2m-28pf-hgjw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vh9v-4d1k-5ygk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359250?format=api", "vulnerability_id": "VCID-vpee-kdhr-xuf3", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41373", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02454", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02457", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02448", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41373" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/e277a37f896b5011a1df06e6490c6630074d0afa", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/e277a37f896b5011a1df06e6490c6630074d0afa" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8xp-qx39-9jq9", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8xp-qx39-9jq9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41373", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41373" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-compiler-binary-substitution-via-environment-variable-override-in-host-execution-policy", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vulncheck.com/advisories/openclaw-compiler-binary-substitution-via-environment-variable-override-in-host-execution-policy" }, { "reference_url": "https://github.com/advisories/GHSA-g8xp-qx39-9jq9", "reference_id": "GHSA-g8xp-qx39-9jq9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g8xp-qx39-9jq9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41373", "GHSA-g8xp-qx39-9jq9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vpee-kdhr-xuf3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359252?format=api", "vulnerability_id": "VCID-vrd4-ue7s-queb", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41379", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08342", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.0838", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08383", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08378", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41379" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/e34694733fc64931ed4a543c73d84ad3435d5df1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/e34694733fc64931ed4a543c73d84ad3435d5df1" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3q42-xmxv-9vfr", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3q42-xmxv-9vfr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41379", "reference_id": "CVE-2026-41379", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41379" }, { "reference_url": "https://github.com/advisories/GHSA-3q42-xmxv-9vfr", "reference_id": "GHSA-3q42-xmxv-9vfr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3q42-xmxv-9vfr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41379", "GHSA-3q42-xmxv-9vfr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vrd4-ue7s-queb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71725?format=api", "vulnerability_id": "VCID-w49b-cbcg-abat", "summary": "OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35653", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17553", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17543", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.1757", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17389", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35653" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/4dcc39c25c6cc63fedfd004f52d173716576fcf0", "reference_id": "4dcc39c25c6cc63fedfd004f52d173716576fcf0", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T16:59:20Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/4dcc39c25c6cc63fedfd004f52d173716576fcf0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35653", "reference_id": "CVE-2026-35653", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35653" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/e7d11f6c33e223a0dd8a21cfe01076bd76cef87a", "reference_id": "e7d11f6c33e223a0dd8a21cfe01076bd76cef87a", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T16:59:20Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/e7d11f6c33e223a0dd8a21cfe01076bd76cef87a" }, { "reference_url": "https://github.com/advisories/GHSA-xp9r-prpg-373r", "reference_id": "GHSA-xp9r-prpg-373r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xp9r-prpg-373r" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r", "reference_id": "GHSA-xp9r-prpg-373r", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T16:59:20Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-incorrect-authorization-in-post-reset-profile-via-browser-request", "reference_id": "openclaw-incorrect-authorization-in-post-reset-profile-via-browser-request", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T16:59:20Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-incorrect-authorization-in-post-reset-profile-via-browser-request" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "CVE-2026-35653", "GHSA-xp9r-prpg-373r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w49b-cbcg-abat" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80718?format=api", "vulnerability_id": "VCID-wje6-u94m-h3d5", "summary": "OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch() calls to access internal resources or interact with external services on behalf of the affected system.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41302", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13484", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13464", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13488", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13373", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41302" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41302", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41302" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/8deb9522f3d2680820588b190adb4a2a52f3670b", "reference_id": "8deb9522f3d2680820588b190adb4a2a52f3670b", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T16:02:24Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/8deb9522f3d2680820588b190adb4a2a52f3670b" }, { "reference_url": "https://github.com/advisories/GHSA-9q7v-8mr7-g23p", "reference_id": "GHSA-9q7v-8mr7-g23p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9q7v-8mr7-g23p" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q7v-8mr7-g23p", "reference_id": "GHSA-9q7v-8mr7-g23p", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T16:02:24Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q7v-8mr7-g23p" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-fetch-in-marketplace-plugin-download", "reference_id": "openclaw-server-side-request-forgery-via-unguarded-fetch-in-marketplace-plugin-download", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T16:02:24Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-fetch-in-marketplace-plugin-download" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41302", "GHSA-9q7v-8mr7-g23p" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wje6-u94m-h3d5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80800?format=api", "vulnerability_id": "VCID-wks9-hb2x-f7et", "summary": "OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stale-role validation gaps and improper channel name validation to gain unauthorized access to restricted voice channels.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41382", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10415", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10444", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1047", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10467", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41382" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41382", "reference_id": "CVE-2026-41382", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41382" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759", "reference_id": "dba96e7507e0900f120e5e28e57755d69bf78759", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:03Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759" }, { "reference_url": "https://github.com/advisories/GHSA-x2m8-53h4-6hch", "reference_id": "GHSA-x2m8-53h4-6hch", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x2m8-53h4-6hch" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x2m8-53h4-6hch", "reference_id": "GHSA-x2m8-53h4-6hch", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:03Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x2m8-53h4-6hch" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-discord-voice-ingress-authorization-bypass-via-channel-and-role-validation-gaps", "reference_id": "openclaw-discord-voice-ingress-authorization-bypass-via-channel-and-role-validation-gaps", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:03Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-discord-voice-ingress-authorization-bypass-via-channel-and-role-validation-gaps" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41382", "GHSA-x2m8-53h4-6hch" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "4.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wks9-hb2x-f7et" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80825?format=api", "vulnerability_id": "VCID-wwx4-qepr-6ue8", "summary": "OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. Attackers can manipulate these OpenShell config paths to cause mirror sync operations to delete unintended remote directory contents and replace them with uploaded workspace data.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41383", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18536", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18692", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18716", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18699", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41383" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/b21c9840c2e38f4bb338d031511b479d5f07ca25", "reference_id": "b21c9840c2e38f4bb338d031511b479d5f07ca25", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:49:59Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/b21c9840c2e38f4bb338d031511b479d5f07ca25" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41383", "reference_id": "CVE-2026-41383", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41383" }, { "reference_url": "https://github.com/advisories/GHSA-m34q-h93w-vg5x", "reference_id": "GHSA-m34q-h93w-vg5x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m34q-h93w-vg5x" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x", "reference_id": "GHSA-m34q-h93w-vg5x", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:49:59Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-remote-directory-deletion-via-mis-scoped-mirror-mode-paths", "reference_id": "openclaw-arbitrary-remote-directory-deletion-via-mis-scoped-mirror-mode-paths", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:49:59Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-remote-directory-deletion-via-mis-scoped-mirror-mode-paths" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-41383", "GHSA-m34q-h93w-vg5x" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wwx4-qepr-6ue8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65521?format=api", "vulnerability_id": "VCID-x5a1-bdbv-2fbv", "summary": "OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43531", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09758", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09749", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09761", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09708", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43531" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/62660", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/62660" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43531", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43531" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/dbfcef319618158fa40b31cdac386ea34c392c0c", "reference_id": "dbfcef319618158fa40b31cdac386ea34c392c0c", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:49:24Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/dbfcef319618158fa40b31cdac386ea34c392c0c" }, { "reference_url": "https://github.com/advisories/GHSA-7wv4-cc7p-jhxc", "reference_id": "GHSA-7wv4-cc7p-jhxc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7wv4-cc7p-jhxc" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7wv4-cc7p-jhxc", "reference_id": "GHSA-7wv4-cc7p-jhxc", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:49:24Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7wv4-cc7p-jhxc" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-env-file", "reference_id": "openclaw-environment-variable-injection-via-workspace-env-file", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:49:24Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-env-file" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373416?format=api", "purl": "pkg:npm/openclaw@2026.4.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-bdss-ct5q-cyak" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vbfg-fz5c-9yde" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.9" } ], "aliases": [ "CVE-2026-43531", "GHSA-7wv4-cc7p-jhxc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x5a1-bdbv-2fbv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80690?format=api", "vulnerability_id": "VCID-xdcp-b977-e3bm", "summary": "OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options like --rcfile, --init-file, and --startup-file to load attacker-chosen initialization files while bypassing exec allowlist matching restrictions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41392", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07092", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07078", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07085", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07063", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41392" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41392", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41392" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/0c8375424620e12777ef24c162eedc7e9fcfd7e3", "reference_id": "0c8375424620e12777ef24c162eedc7e9fcfd7e3", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:18:08Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/0c8375424620e12777ef24c162eedc7e9fcfd7e3" }, { "reference_url": "https://github.com/advisories/GHSA-wpc6-37g7-8q4w", "reference_id": "GHSA-wpc6-37g7-8q4w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wpc6-37g7-8q4w" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpc6-37g7-8q4w", "reference_id": "GHSA-wpc6-37g7-8q4w", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:18:08Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpc6-37g7-8q4w" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-shell-init-file-options", "reference_id": "openclaw-exec-allowlist-bypass-via-shell-init-file-options", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:18:08Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-shell-init-file-options" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41392", "GHSA-wpc6-37g7-8q4w" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xdcp-b977-e3bm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70407?format=api", "vulnerability_id": "VCID-xhej-v61s-vkht", "summary": "OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42426", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12829", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12915", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12934", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12924", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42426" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42426", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42426" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_id": "d7c3210cd6f5fdfdc1beff4c9541673e814354d5", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:25:43Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5" }, { "reference_url": "https://github.com/advisories/GHSA-67mf-f936-ppxf", "reference_id": "GHSA-67mf-f936-ppxf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-67mf-f936-ppxf" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxf", "reference_id": "GHSA-67mf-f936-ppxf", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:25:43Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxf" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-improper-authorization-in-node-pair-approve-via-operator-write-scope", "reference_id": "openclaw-improper-authorization-in-node-pair-approve-via-operator-write-scope", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:25:43Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-improper-authorization-in-node-pair-approve-via-operator-write-scope" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "CVE-2026-42426", "GHSA-67mf-f936-ppxf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xhej-v61s-vkht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80755?format=api", "vulnerability_id": "VCID-xsbb-51rw-p7e8", "summary": "OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41365", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10467", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10444", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1047", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10415", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41365" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41365", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41365" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/5cca38084074fb5095aa11b6a59820d63e4937c9", "reference_id": "5cca38084074fb5095aa11b6a59820d63e4937c9", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:54:54Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/5cca38084074fb5095aa11b6a59820d63e4937c9" }, { "reference_url": "https://github.com/advisories/GHSA-chfm-xgc4-47rj", "reference_id": "GHSA-chfm-xgc4-47rj", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-chfm-xgc4-47rj" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chfm-xgc4-47rj", "reference_id": "GHSA-chfm-xgc4-47rj", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:54:54Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chfm-xgc4-47rj" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-graph-api-thread-history", "reference_id": "openclaw-sender-allowlist-bypass-via-graph-api-thread-history", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:54:54Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-graph-api-thread-history" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41365", "GHSA-chfm-xgc4-47rj" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "4.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xsbb-51rw-p7e8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65500?format=api", "vulnerability_id": "VCID-xttb-bfmd-uyfh", "summary": "OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43580", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11594", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11644", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11666", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11674", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-43580" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/62023", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/62023" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/63226", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/63226" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/63889", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/63889" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43580", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43580" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe", "reference_id": "049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:47Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3", "reference_id": "5f5b3d733bdd791cb457f838514179e1288b10b3", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:47Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894", "reference_id": "e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:47Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894" }, { "reference_url": "https://github.com/advisories/GHSA-536q-mj95-h29h", "reference_id": "GHSA-536q-mj95-h29h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-536q-mj95-h29h" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h", "reference_id": "GHSA-536q-mj95-h29h", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:47Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-incomplete-navigation-guard-coverage-in-browser-interactions", "reference_id": "openclaw-incomplete-navigation-guard-coverage-in-browser-interactions", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:47Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-incomplete-navigation-guard-coverage-in-browser-interactions" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373291?format=api", "purl": "pkg:npm/openclaw@2026.4.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6qbs-72h8-gua4" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9c2u-hch4-8qbj" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cvqa-cn56-kuh1" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10" } ], "aliases": [ "CVE-2026-43580", "GHSA-536q-mj95-h29h" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "6.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xttb-bfmd-uyfh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80753?format=api", "vulnerability_id": "VCID-xv1n-1wbt-8ydw", "summary": "OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate callback origins during the replay process.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41337", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11554", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11514", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11545", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11476", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41337" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41337", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41337" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/efe9183f9d2fd5e01c8068fa01f4a07a58a63c0b", "reference_id": "efe9183f9d2fd5e01c8068fa01f4a07a58a63c0b", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:28:16Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/efe9183f9d2fd5e01c8068fa01f4a07a58a63c0b" }, { "reference_url": "https://github.com/advisories/GHSA-89r3-6x4j-v7wf", "reference_id": "GHSA-89r3-6x4j-v7wf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-89r3-6x4j-v7wf" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-89r3-6x4j-v7wf", "reference_id": "GHSA-89r3-6x4j-v7wf", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:28:16Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-89r3-6x4j-v7wf" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-callback-origin-mutation-in-plivo-voice-call-replay", "reference_id": "openclaw-callback-origin-mutation-in-plivo-voice-call-replay", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:28:16Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-callback-origin-mutation-in-plivo-voice-call-replay" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41337", "GHSA-89r3-6x4j-v7wf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xv1n-1wbt-8ydw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71542?format=api", "vulnerability_id": "VCID-xw16-zng9-bug2", "summary": "OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35629", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14522", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14613", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14639", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14641", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35629" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35629", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35629" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acf", "reference_id": "f92c92515bd439a71bd03eb1bc969c1964f17acf", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:32Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acf" }, { "reference_url": "https://github.com/advisories/GHSA-pg2v-8xwh-qhcc", "reference_id": "GHSA-pg2v-8xwh-qhcc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pg2v-8xwh-qhcc" }, { "reference_url": "https://github.com/advisories/GHSA-rhfg-j8jq-7v2h", "reference_id": "GHSA-rhfg-j8jq-7v2h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rhfg-j8jq-7v2h" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h", "reference_id": "GHSA-rhfg-j8jq-7v2h", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:32Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions", "reference_id": "openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:32Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-35629", "GHSA-rhfg-j8jq-7v2h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xw16-zng9-bug2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359847?format=api", "vulnerability_id": "VCID-y493-unyv-33bw", "summary": "Duplicate Advisory: OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-6mqc-jqh6-x8fc. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest() unconditionally allows local-direct requests without validating bearer tokens or canvas capabilities. Attackers can send unauthenticated loopback HTTP and WebSocket requests to Canvas routes to bypass authentication and gain unauthorized access.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35634", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35634" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6mqc-jqh6-x8fc", "reference_id": "GHSA-6mqc-jqh6-x8fc", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6mqc-jqh6-x8fc" }, { "reference_url": "https://github.com/advisories/GHSA-9gvx-vj57-vqqx", "reference_id": "GHSA-9gvx-vj57-vqqx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9gvx-vj57-vqqx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373851?format=api", "purl": "pkg:npm/openclaw@2026.3.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2d6p-8jxd-1yc4" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4n9g-ymdq-6fhd" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4srt-x1xb-xqa8" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-54js-czwp-jkce" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5k9d-n6kg-g3bn" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bj4f-1qy4-33g7" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c723-znew-ebhm" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-epaf-29e7-kue8" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-qx6n-dk9c-8yd3" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-ub5p-bp37-hff5" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-w49b-cbcg-abat" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-ye9d-bzdx-bbeq" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.23" } ], "aliases": [ "GHSA-9gvx-vj57-vqqx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y493-unyv-33bw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80991?format=api", "vulnerability_id": "VCID-y5fh-j64j-8ygt", "summary": "OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket handshake rather than verified authorization state. Authenticated operator clients can spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge by manipulating client metadata during connection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41299", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20442", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.2062", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.2064", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20619", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41299" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/4b9542716c26ac77652bcaa0f562043b298b409f", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/4b9542716c26ac77652bcaa0f562043b298b409f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41299", "reference_id": "CVE-2026-41299", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41299" }, { "reference_url": "https://github.com/advisories/GHSA-6xg4-82hv-cp6f", "reference_id": "GHSA-6xg4-82hv-cp6f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6xg4-82hv-cp6f" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6xg4-82hv-cp6f", "reference_id": "GHSA-6xg4-82hv-cp6f", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:38:14Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6xg4-82hv-cp6f" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-client-identity-spoofing-in-chat-send-gateway-provenance-guard", "reference_id": "openclaw-client-identity-spoofing-in-chat-send-gateway-provenance-guard", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:38:14Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-client-identity-spoofing-in-chat-send-gateway-provenance-guard" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41299", "GHSA-6xg4-82hv-cp6f" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y5fh-j64j-8ygt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69848?format=api", "vulnerability_id": "VCID-y5k6-v1cj-cqg6", "summary": "OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45005", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17871", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19514", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19539", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00061", "scoring_system": "epss", "scoring_elements": "0.19517", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45005" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45005", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45005" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa", "reference_id": "36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T16:10:40Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa" }, { "reference_url": "https://github.com/advisories/GHSA-q8ff-7ffm-m3r9", "reference_id": "GHSA-q8ff-7ffm-m3r9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q8ff-7ffm-m3r9" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9", "reference_id": "GHSA-q8ff-7ffm-m3r9", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T16:10:40Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation", "reference_id": "openclaw-webhook-route-secret-cache-not-invalidated-after-rotation", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T16:10:40Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375456?format=api", "purl": "pkg:npm/openclaw@2026.4.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.23" } ], "aliases": [ "CVE-2026-45005", "GHSA-q8ff-7ffm-m3r9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y5k6-v1cj-cqg6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80793?format=api", "vulnerability_id": "VCID-y922-jg2a-6fff", "summary": "OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enforcement to cause resource or billing consumption by initiating audio preflight operations before authorization checks are applied.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41331", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17707", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17858", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17883", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17867", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41331" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41331", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41331" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/c4fa8635d03943ffe9e294d501089521dca635c5", "reference_id": "c4fa8635d03943ffe9e294d501089521dca635c5", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T12:59:50Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/c4fa8635d03943ffe9e294d501089521dca635c5" }, { "reference_url": "https://github.com/advisories/GHSA-m6fx-m8hc-572m", "reference_id": "GHSA-m6fx-m8hc-572m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m6fx-m8hc-572m" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m6fx-m8hc-572m", "reference_id": "GHSA-m6fx-m8hc-572m", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T12:59:50Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m6fx-m8hc-572m" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-unauthorized-telegram-audio-preflight-transcription", "reference_id": "openclaw-resource-consumption-via-unauthorized-telegram-audio-preflight-transcription", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T12:59:50Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-unauthorized-telegram-audio-preflight-transcription" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41331", "GHSA-m6fx-m8hc-572m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y922-jg2a-6fff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359915?format=api", "vulnerability_id": "VCID-y927-u929-17bd", "summary": "OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel\n## Impact\n\nAuthenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel.\n\nAn authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.2`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @tdjackey for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f" }, { "reference_url": "https://github.com/advisories/GHSA-jf56-mccx-5f3f", "reference_id": "GHSA-jf56-mccx-5f3f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jf56-mccx-5f3f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373274?format=api", "purl": "pkg:npm/openclaw@2026.4.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a727-qa7y-y3hf" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-b158-4js1-77de" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hwyc-kv1j-1yhm" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-ns2g-q3vb-akcm" }, { "vulnerability": "VCID-nue7-qr3q-e3h4" }, { "vulnerability": "VCID-qcd6-fjdp-hyam" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8" } ], "aliases": [ "GHSA-jf56-mccx-5f3f" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y927-u929-17bd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71599?format=api", "vulnerability_id": "VCID-ye9d-bzdx-bbeq", "summary": "OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35665", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29468", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29686", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29669", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35665" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35665", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35665" }, { "reference_url": "https://github.com/advisories/GHSA-w6m8-cqvj-pg5v", "reference_id": "GHSA-w6m8-cqvj-pg5v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w6m8-cqvj-pg5v" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v", "reference_id": "GHSA-w6m8-cqvj-pg5v", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T16:57:19Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg", "reference_id": "GHSA-x4vp-4235-65hg", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing", "reference_id": "openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T16:57:19Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373706?format=api", "purl": "pkg:npm/openclaw@2026.3.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1gsf-j6g3-4fd7" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-1y6e-vv6s-ckgt" }, { "vulnerability": "VCID-213t-kf4c-qfct" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2amg-4khy-1ufr" }, { "vulnerability": "VCID-2c8q-g4uw-mufb" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2keu-vgjt-t7ba" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2t7c-q448-a7bp" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3f8g-rfq5-fbeb" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-3swm-pxgf-sqbx" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-47ty-n3m4-nbbe" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-59an-tnp2-qfgg" }, { "vulnerability": "VCID-5bbp-xjjz-p3gm" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5jgs-gk2n-8fdk" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-7rcc-8g5p-3ydv" }, { "vulnerability": "VCID-7v88-gh66-ybgd" }, { "vulnerability": "VCID-812y-rb9q-m7eu" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-84y8-6fag-nbbm" }, { "vulnerability": "VCID-86wa-z59e-xqgu" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9pv2-ufhu-w7g1" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a7hc-rue8-13eb" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-b3nv-4pe7-fyhj" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bfj1-xxkp-aubu" }, { "vulnerability": "VCID-bnzw-duu7-7fgu" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bt5u-3vwp-rqcw" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-d8dy-y1mu-bqgc" }, { "vulnerability": "VCID-djr4-azeh-mfap" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e6cf-mh6h-pqgn" }, { "vulnerability": "VCID-e6q6-e2my-gfce" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f5q3-7bm2-1kgw" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-g2hf-mzjs-2fbn" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-gh64-hwfz-p3ep" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-j13w-x4ky-8yhd" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kkw6-d2rs-9uh3" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m3h2-6en6-2ye4" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mdss-pw9y-7kh6" }, { "vulnerability": "VCID-msr2-gsjh-1bat" }, { "vulnerability": "VCID-muxr-kvhn-7fcb" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-na8n-2vex-zfdb" }, { "vulnerability": "VCID-nfvd-f7cc-tkhm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-np53-nrkf-uyhe" }, { "vulnerability": "VCID-pecx-xt79-1kht" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-q6h5-e93e-j3d7" }, { "vulnerability": "VCID-qcrw-m7k3-ubgm" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt48-xw6x-nudj" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-s45u-hr8t-gffq" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-svyq-6gm7-efez" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tg1c-vs9g-8ya8" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-ts15-y9qj-13e9" }, { "vulnerability": "VCID-ttg2-j7x3-m7de" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-uxkz-gf1t-kua1" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vh9v-4d1k-5ygk" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-vrd4-ue7s-queb" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-xw16-zng9-bug2" }, { "vulnerability": "VCID-y5fh-j64j-8ygt" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y8w5-82ny-y3ez" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-ytvf-tpaj-zyet" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-z4z4-3e3q-zbfy" }, { "vulnerability": "VCID-z5ke-btzd-b7cx" }, { "vulnerability": "VCID-z9dc-47q8-7kc8" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" }, { "vulnerability": "VCID-zzub-kp8h-2kar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24" } ], "aliases": [ "CVE-2026-35665", "GHSA-w6m8-cqvj-pg5v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ye9d-bzdx-bbeq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359878?format=api", "vulnerability_id": "VCID-yjb1-4y48-a7g6", "summary": "OpenClaw: Windows-compatible env override keys could bypass system.run approval binding\n## Summary\n\nBefore OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time.\n\n## Impact\n\nAn approved command could run with attacker-chosen environment overrides that were not represented in the approval binding. This created an approval-integrity gap for affected host-exec flows.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d` — align approval binding with execution-time env-key normalization\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @iskindar for reporting, and thanks @wsparks-vc for coordination.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d" }, { "reference_url": "https://github.com/advisories/GHSA-98ch-45wp-ch47", "reference_id": "GHSA-98ch-45wp-ch47", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-98ch-45wp-ch47" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47", "reference_id": "GHSA-98ch-45wp-ch47", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "GHSA-98ch-45wp-ch47" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yjb1-4y48-a7g6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67862?format=api", "vulnerability_id": "VCID-yqjc-khg8-uyb4", "summary": "OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44114", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07205", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07239", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07238", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.07245", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44114" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44114", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44114" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6", "reference_id": "018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:52:56Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6" }, { "reference_url": "https://github.com/advisories/GHSA-hxvm-xjvf-93f3", "reference_id": "GHSA-hxvm-xjvf-93f3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hxvm-xjvf-93f3" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hxvm-xjvf-93f3", "reference_id": "GHSA-hxvm-xjvf-93f3", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:52:56Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hxvm-xjvf-93f3" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-namespace-collision-via-workspace-dotenv", "reference_id": "openclaw-environment-variable-namespace-collision-via-workspace-dotenv", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:52:56Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-namespace-collision-via-workspace-dotenv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373308?format=api", "purl": "pkg:npm/openclaw@2026.4.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20" } ], "aliases": [ "CVE-2026-44114", "GHSA-hxvm-xjvf-93f3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yqjc-khg8-uyb4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360063?format=api", "vulnerability_id": "VCID-ytvf-tpaj-zyet", "summary": "OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility\n## Summary\n\n`session_status` sessionId resolution bypasses sandboxed session-tree visibility\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `>= 2026.3.11, <= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\n`session_status` previously resolved a `sessionId` to a canonical session key after early visibility checks, letting sandboxed children reach parent or sibling sessions that were blocked by explicit `sessionKey`. Commit `d9810811b6c3c9266d7580f00574e5e02f7663de` enforces visibility after `sessionId` resolution so sandboxed callers cannot escape their session tree.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `d9810811b6c3c9266d7580f00574e5e02f7663de`.\n\n## Fix Commit(s)\n\n- `d9810811b6c3c9266d7580f00574e5e02f7663de`", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/advisories/GHSA-q2qc-744p-66r2", "reference_id": "GHSA-q2qc-744p-66r2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q2qc-744p-66r2" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q2qc-744p-66r2", "reference_id": "GHSA-q2qc-744p-66r2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q2qc-744p-66r2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "GHSA-q2qc-744p-66r2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ytvf-tpaj-zyet" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81116?format=api", "vulnerability_id": "VCID-z438-846q-27f3", "summary": "OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated redirects. The marketplace.ts module fails to restrict redirect destinations during archive downloads, enabling remote attackers to redirect requests to arbitrary internal or external servers.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41297", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13484", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13464", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13488", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13373", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41297" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41297", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41297" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/2ce44ca6a1302b166a128abbd78f72114f2f4f52", "reference_id": "2ce44ca6a1302b166a128abbd78f72114f2f4f52", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:41:27Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/2ce44ca6a1302b166a128abbd78f72114f2f4f52" }, { "reference_url": "https://github.com/advisories/GHSA-vjx8-8p7h-82gr", "reference_id": "GHSA-vjx8-8p7h-82gr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vjx8-8p7h-82gr" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vjx8-8p7h-82gr", "reference_id": "GHSA-vjx8-8p7h-82gr", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:41:27Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vjx8-8p7h-82gr" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-marketplace-plugin-download-redirect", "reference_id": "openclaw-server-side-request-forgery-via-marketplace-plugin-download-redirect", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:41:27Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-marketplace-plugin-download-redirect" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41297", "GHSA-vjx8-8p7h-82gr" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z438-846q-27f3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71777?format=api", "vulnerability_id": "VCID-z4z4-3e3q-zbfy", "summary": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypass DM pairing and modify session state.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35661", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17522", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17673", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17699", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17682", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35661" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35661", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35661" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065", "reference_id": "269282ac69ab6030d5f30d04822668f607f13065", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:14:55Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065" }, { "reference_url": "https://github.com/advisories/GHSA-j4c9-w69r-cw33", "reference_id": "GHSA-j4c9-w69r-cw33", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j4c9-w69r-cw33" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33", "reference_id": "GHSA-j4c9-w69r-cw33", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:14:55Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass", "reference_id": "openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:14:55Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-35661", "GHSA-j4c9-w69r-cw33" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z4z4-3e3q-zbfy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71630?format=api", "vulnerability_id": "VCID-z5ke-btzd-b7cx", "summary": "OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35664", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27202", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26995", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27199", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27218", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35664" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/81c45976db532324b5a0918a70decc19520dc354", "reference_id": "81c45976db532324b5a0918a70decc19520dc354", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:57:40Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/81c45976db532324b5a0918a70decc19520dc354" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35664", "reference_id": "CVE-2026-35664", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35664" }, { "reference_url": "https://github.com/advisories/GHSA-77w2-crqv-cmv3", "reference_id": "GHSA-77w2-crqv-cmv3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-77w2-crqv-cmv3" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-77w2-crqv-cmv3", "reference_id": "GHSA-77w2-crqv-cmv3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:57:40Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-77w2-crqv-cmv3" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-dm-pairing-bypass-via-legacy-card-callbacks", "reference_id": "openclaw-dm-pairing-bypass-via-legacy-card-callbacks", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:57:40Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-dm-pairing-bypass-via-legacy-card-callbacks" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-35664", "GHSA-77w2-crqv-cmv3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z5ke-btzd-b7cx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71934?format=api", "vulnerability_id": "VCID-z9dc-47q8-7kc8", "summary": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privileged operations with unintended administrative scope.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35645", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16149", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16125", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16159", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16007", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35645" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35645", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35645" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7", "reference_id": "b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:11:49Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7" }, { "reference_url": "https://github.com/advisories/GHSA-h4jx-hjr3-fhgc", "reference_id": "GHSA-h4jx-hjr3-fhgc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h4jx-hjr3-fhgc" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc", "reference_id": "GHSA-h4jx-hjr3-fhgc", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:11:49Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession", "reference_id": "openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:11:49Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-35645", "GHSA-h4jx-hjr3-fhgc" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z9dc-47q8-7kc8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80654?format=api", "vulnerability_id": "VCID-zmfp-x82c-3kcd", "summary": "OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41352", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00536", "scoring_system": "epss", "scoring_elements": "0.68013", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00536", "scoring_system": "epss", "scoring_elements": "0.68022", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00536", "scoring_system": "epss", "scoring_elements": "0.68025", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00536", "scoring_system": "epss", "scoring_elements": "0.67924", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41352" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41352", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41352" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/3886b65ef21d02808c1a106fa1f9f69e22f71c32", "reference_id": "3886b65ef21d02808c1a106fa1f9f69e22f71c32", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T16:36:03Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/3886b65ef21d02808c1a106fa1f9f69e22f71c32" }, { "reference_url": "https://github.com/advisories/GHSA-xj9w-5r6q-x6v4", "reference_id": "GHSA-xj9w-5r6q-x6v4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xj9w-5r6q-x6v4" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xj9w-5r6q-x6v4", "reference_id": "GHSA-xj9w-5r6q-x6v4", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T16:36:03Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xj9w-5r6q-x6v4" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-scope-gate-bypass", "reference_id": "openclaw-remote-code-execution-via-node-scope-gate-bypass", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T16:36:03Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-scope-gate-bypass" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41352", "GHSA-xj9w-5r6q-x6v4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zmfp-x82c-3kcd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359864?format=api", "vulnerability_id": "VCID-zqds-fryf-tbgv", "summary": "OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read\n## Summary\nPath traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read\n\n## Current Maintainer Triage\n- Normalized severity: medium\n- Assessment: v2026.3.28 ACP dispatch still reads attachment paths outside the guarded attachment-cache or root checks, and the root-enforcement fix is not yet shipped.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `566fb73d9da2d73c0be0d9b8e5b762e4dcd8e81d` — 2026-03-30T14:04:02+01:00\n\nOpenClaw thanks @north-echo for reporting.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://github.com/advisories/GHSA-58q2-7r52-jq62", "reference_id": "GHSA-58q2-7r52-jq62", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-58q2-7r52-jq62" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-58q2-7r52-jq62", "reference_id": "GHSA-58q2-7r52-jq62", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-58q2-7r52-jq62" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "GHSA-58q2-7r52-jq62" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zqds-fryf-tbgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80958?format=api", "vulnerability_id": "VCID-zw9g-abft-skg9", "summary": "OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41343", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35317", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35501", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35517", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35495", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41343" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41343", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41343" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad", "reference_id": "57c47d8c7fbf5a2e70cc4dec2380977968903cad", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:30:05Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad" }, { "reference_url": "https://github.com/advisories/GHSA-qcc3-jqwp-5vh2", "reference_id": "GHSA-qcc3-jqwp-5vh2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qcc3-jqwp-5vh2" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2", "reference_id": "GHSA-qcc3-jqwp-5vh2", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:30:05Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency", "reference_id": "openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:30:05Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373298?format=api", "purl": "pkg:npm/openclaw@2026.3.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31" } ], "aliases": [ "CVE-2026-41343", "GHSA-qcc3-jqwp-5vh2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zw9g-abft-skg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80915?format=api", "vulnerability_id": "VCID-zxc5-3vhg-b3hw", "summary": "OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41339", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11399", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11355", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11388", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.11329", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41339" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41339", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41339" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/676b748056b5efca6f1255708e9dd9469edf5e2e", "reference_id": "676b748056b5efca6f1255708e9dd9469edf5e2e", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:34:47Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/676b748056b5efca6f1255708e9dd9469edf5e2e" }, { "reference_url": "https://github.com/advisories/GHSA-2f7j-rp58-mr42", "reference_id": "GHSA-2f7j-rp58-mr42", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2f7j-rp58-mr42" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2f7j-rp58-mr42", "reference_id": "GHSA-2f7j-rp58-mr42", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:34:47Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2f7j-rp58-mr42" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-gateway-connect-snapshot", "reference_id": "openclaw-information-disclosure-via-gateway-connect-snapshot", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:34:47Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-gateway-connect-snapshot" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373318?format=api", "purl": "pkg:npm/openclaw@2026.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7z3d-j9p7-kqed" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2" } ], "aliases": [ "CVE-2026-41339", "GHSA-2f7j-rp58-mr42" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zxc5-3vhg-b3hw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80790?format=api", "vulnerability_id": "VCID-zzub-kp8h-2kar", "summary": "OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger duplicate voice-call processing with a captured valid signed webhook.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41395", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05146", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05139", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05148", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05156", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41395" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/85777e726cb02c01a911b3ff832ddf4d664d5c94", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/85777e726cb02c01a911b3ff832ddf4d664d5c94" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41395", "reference_id": "CVE-2026-41395", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41395" }, { "reference_url": "https://github.com/advisories/GHSA-8689-gm9g-jgr6", "reference_id": "GHSA-8689-gm9g-jgr6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8689-gm9g-jgr6" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8689-gm9g-jgr6", "reference_id": "GHSA-8689-gm9g-jgr6", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:20:49Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8689-gm9g-jgr6" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-webhook-replay-via-query-parameter-reordering-in-plivo-v3", "reference_id": "openclaw-webhook-replay-via-query-parameter-reordering-in-plivo-v3", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:20:49Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-webhook-replay-via-query-parameter-reordering-in-plivo-v3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373265?format=api", "purl": "pkg:npm/openclaw@2026.3.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1f2r-y41u-y7b4" }, { "vulnerability": "VCID-1kns-bfm7-wqa7" }, { "vulnerability": "VCID-1qnh-qhcx-63et" }, { "vulnerability": "VCID-1sxg-r1bm-mygk" }, { "vulnerability": "VCID-1wqp-rrgy-4ffe" }, { "vulnerability": "VCID-24x5-nkt2-wbg7" }, { "vulnerability": "VCID-27ud-w29j-cbeq" }, { "vulnerability": "VCID-2d5p-gd51-3bfc" }, { "vulnerability": "VCID-2p3a-gmxy-37gx" }, { "vulnerability": "VCID-2tsv-9m6k-1qdn" }, { "vulnerability": "VCID-3f2g-c9me-nbdm" }, { "vulnerability": "VCID-3qf3-mq53-fbgp" }, { "vulnerability": "VCID-416m-tsuc-b3fg" }, { "vulnerability": "VCID-45as-yk5j-dug2" }, { "vulnerability": "VCID-4kcu-akxv-hker" }, { "vulnerability": "VCID-4qqv-57ws-4yb3" }, { "vulnerability": "VCID-4umw-rnj5-efad" }, { "vulnerability": "VCID-4yrw-qqvt-jkhn" }, { "vulnerability": "VCID-563k-49s5-5fbp" }, { "vulnerability": "VCID-5c35-mfrw-r3fg" }, { "vulnerability": "VCID-5hvu-e2e8-y7h6" }, { "vulnerability": "VCID-5msy-va7d-jkhz" }, { "vulnerability": "VCID-5szz-xqng-fffv" }, { "vulnerability": "VCID-5uvn-998w-hfds" }, { "vulnerability": "VCID-5zh4-jn4s-akc9" }, { "vulnerability": "VCID-65nh-ys6n-77ag" }, { "vulnerability": "VCID-6ce4-zpfh-pybu" }, { "vulnerability": "VCID-6hav-n44a-dkeu" }, { "vulnerability": "VCID-6w88-6bts-sudv" }, { "vulnerability": "VCID-7j27-ndq2-mfht" }, { "vulnerability": "VCID-7r7v-pvsj-uyaw" }, { "vulnerability": "VCID-82aq-wxf5-aka8" }, { "vulnerability": "VCID-84ms-aakm-x3dc" }, { "vulnerability": "VCID-8h62-5c5b-cbdt" }, { "vulnerability": "VCID-8h7u-pr1w-z7df" }, { "vulnerability": "VCID-8sps-h6k2-43c9" }, { "vulnerability": "VCID-8x39-gcpu-yqd9" }, { "vulnerability": "VCID-925q-556p-q3f6" }, { "vulnerability": "VCID-9u9n-s6sc-2bhw" }, { "vulnerability": "VCID-9vbr-88pv-hudj" }, { "vulnerability": "VCID-9xv8-jtc8-ekcr" }, { "vulnerability": "VCID-9zkk-mp8b-kbbg" }, { "vulnerability": "VCID-a4pw-9uzw-47ge" }, { "vulnerability": "VCID-a9q6-xpjm-6yfd" }, { "vulnerability": "VCID-aegc-6ab1-k7hk" }, { "vulnerability": "VCID-afjz-us2v-k7ak" }, { "vulnerability": "VCID-agtk-z6cf-1bh7" }, { "vulnerability": "VCID-b3av-6zna-sugm" }, { "vulnerability": "VCID-bdx2-c7m3-xbfv" }, { "vulnerability": "VCID-bqwy-vw6g-uudj" }, { "vulnerability": "VCID-brzy-7832-5bhh" }, { "vulnerability": "VCID-bvyn-2c5r-4bce" }, { "vulnerability": "VCID-c3fa-2u7p-pkgn" }, { "vulnerability": "VCID-c3hg-hct8-eqbv" }, { "vulnerability": "VCID-c7gn-3t5r-j7bu" }, { "vulnerability": "VCID-c8dt-7z8a-qufe" }, { "vulnerability": "VCID-c8mh-j256-j3aa" }, { "vulnerability": "VCID-cbdg-vzrj-puc2" }, { "vulnerability": "VCID-cf4u-fs5p-3ue3" }, { "vulnerability": "VCID-cfj6-nuq4-wudw" }, { "vulnerability": "VCID-cj2h-dvh1-1bhx" }, { "vulnerability": "VCID-crh9-tw4p-2bgr" }, { "vulnerability": "VCID-d34s-z46v-gygk" }, { "vulnerability": "VCID-dtva-truu-4qac" }, { "vulnerability": "VCID-e327-pu9e-x7gh" }, { "vulnerability": "VCID-e351-abpr-7fhx" }, { "vulnerability": "VCID-e84v-kdtb-5ycs" }, { "vulnerability": "VCID-e8sz-63dk-tfbs" }, { "vulnerability": "VCID-eaeg-e381-nyh5" }, { "vulnerability": "VCID-ed61-sus3-3yh9" }, { "vulnerability": "VCID-eefn-gpc1-mfdx" }, { "vulnerability": "VCID-eju9-rz5x-1bbk" }, { "vulnerability": "VCID-esve-n4ww-rudc" }, { "vulnerability": "VCID-f22e-sy58-g7fb" }, { "vulnerability": "VCID-f925-x5qa-buav" }, { "vulnerability": "VCID-f95y-gnx3-wydp" }, { "vulnerability": "VCID-fcfw-yctj-v3cy" }, { "vulnerability": "VCID-fgkb-fmuq-wffh" }, { "vulnerability": "VCID-fzag-upa9-n7cr" }, { "vulnerability": "VCID-gd62-paxx-abgy" }, { "vulnerability": "VCID-h5h5-c9az-4be3" }, { "vulnerability": "VCID-h6wv-azua-wkgw" }, { "vulnerability": "VCID-h77b-c2kq-8kej" }, { "vulnerability": "VCID-h78a-py8h-ekgj" }, { "vulnerability": "VCID-hbkd-8rx2-4qb8" }, { "vulnerability": "VCID-hh2g-pzbh-13ax" }, { "vulnerability": "VCID-hrnb-5t6m-jkaq" }, { "vulnerability": "VCID-jarm-du2f-1uef" }, { "vulnerability": "VCID-jdbz-6b2q-xyav" }, { "vulnerability": "VCID-jj5g-2uaq-tua3" }, { "vulnerability": "VCID-jnbs-cnfs-nkb5" }, { "vulnerability": "VCID-jwnv-j7hq-sbh9" }, { "vulnerability": "VCID-jzvr-jz7v-q3h1" }, { "vulnerability": "VCID-kact-h3hk-d7eg" }, { "vulnerability": "VCID-kdn3-sa62-4bef" }, { "vulnerability": "VCID-kfmd-usy4-afbu" }, { "vulnerability": "VCID-kkqe-kjun-mufe" }, { "vulnerability": "VCID-kprt-1prq-n7bt" }, { "vulnerability": "VCID-kxyq-t74z-p3gf" }, { "vulnerability": "VCID-m4qc-8d4v-dbe2" }, { "vulnerability": "VCID-m8ba-t6kp-3kcx" }, { "vulnerability": "VCID-mzpq-bw9z-w7dm" }, { "vulnerability": "VCID-n3c5-p4ah-e7e9" }, { "vulnerability": "VCID-nkkj-ue4v-3ueh" }, { "vulnerability": "VCID-pu7g-crjz-27c6" }, { "vulnerability": "VCID-pyut-62r7-6fgp" }, { "vulnerability": "VCID-qmnc-zfxh-87g4" }, { "vulnerability": "VCID-qpq9-cabj-a7hj" }, { "vulnerability": "VCID-qqsk-1mk9-pygw" }, { "vulnerability": "VCID-qqz4-uy33-qya2" }, { "vulnerability": "VCID-qt8t-f9xc-qbgp" }, { "vulnerability": "VCID-qujt-gddx-ckbm" }, { "vulnerability": "VCID-r75w-jwbm-dyew" }, { "vulnerability": "VCID-rffw-fgxm-1ue9" }, { "vulnerability": "VCID-rm55-3hs1-23b4" }, { "vulnerability": "VCID-rr2j-c7md-57gj" }, { "vulnerability": "VCID-sbxm-vwhw-9fhd" }, { "vulnerability": "VCID-sqr6-smfg-uqdy" }, { "vulnerability": "VCID-sqxg-9akn-j7az" }, { "vulnerability": "VCID-t14t-27xx-83g3" }, { "vulnerability": "VCID-t2b3-n8xb-k3fn" }, { "vulnerability": "VCID-t7nn-6cy7-2yak" }, { "vulnerability": "VCID-tegh-qc36-ufha" }, { "vulnerability": "VCID-tgnw-vne2-2kc1" }, { "vulnerability": "VCID-tm7a-1rzn-5yak" }, { "vulnerability": "VCID-tm94-jwz9-kkd6" }, { "vulnerability": "VCID-tyz3-w2hm-gqg7" }, { "vulnerability": "VCID-v3g3-zvr2-3khy" }, { "vulnerability": "VCID-v3u2-k16m-9kdp" }, { "vulnerability": "VCID-v6e8-g5w8-k3ax" }, { "vulnerability": "VCID-vpee-kdhr-xuf3" }, { "vulnerability": "VCID-wje6-u94m-h3d5" }, { "vulnerability": "VCID-wks9-hb2x-f7et" }, { "vulnerability": "VCID-wwx4-qepr-6ue8" }, { "vulnerability": "VCID-x5a1-bdbv-2fbv" }, { "vulnerability": "VCID-xdcp-b977-e3bm" }, { "vulnerability": "VCID-xhej-v61s-vkht" }, { "vulnerability": "VCID-xsbb-51rw-p7e8" }, { "vulnerability": "VCID-xttb-bfmd-uyfh" }, { "vulnerability": "VCID-xv1n-1wbt-8ydw" }, { "vulnerability": "VCID-y5k6-v1cj-cqg6" }, { "vulnerability": "VCID-y922-jg2a-6fff" }, { "vulnerability": "VCID-y927-u929-17bd" }, { "vulnerability": "VCID-yjb1-4y48-a7g6" }, { "vulnerability": "VCID-yqjc-khg8-uyb4" }, { "vulnerability": "VCID-z438-846q-27f3" }, { "vulnerability": "VCID-zmfp-x82c-3kcd" }, { "vulnerability": "VCID-zqds-fryf-tbgv" }, { "vulnerability": "VCID-zw9g-abft-skg9" }, { "vulnerability": "VCID-zxc5-3vhg-b3hw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28" } ], "aliases": [ "CVE-2026-41395", "GHSA-8689-gm9g-jgr6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zzub-kp8h-2kar" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.23-1" }