Search for packages
| purl | pkg:npm/openclaw@2026.3.23 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1f2r-y41u-y7b4
Aliases: CVE-2026-43574 GHSA-49cg-279w-m73x |
OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id. |
Affected by 37 other vulnerabilities. |
|
VCID-1gsf-j6g3-4fd7
Aliases: GHSA-fqw4-mph7-2vr8 |
OpenClaw: Silent privilege escalation via gateway shared-auth reconnect ## Summary Gateway local shared-auth reconnect silently widens paired device scope from operator.read to operator.admin and reach node RCE ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Silent local shared-auth reconnects could previously auto-approve `scope-upgrade` requests and widen a paired device from `operator.read` to `operator.admin`. Commit `81ebc7e0344fd19c85778e883bad45e2da972229` blocks silent reconnect scope upgrades so widened scopes require an explicit pairing approval instead of an implicit local reconnect path. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `81ebc7e0344fd19c85778e883bad45e2da972229`. ## Fix Commit(s) - `81ebc7e0344fd19c85778e883bad45e2da972229` | There are no reported fixed by versions. |
|
VCID-1kns-bfm7-wqa7
Aliases: CVE-2026-43530 GHSA-2cq5-mf3v-mx44 |
OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations. |
Affected by 37 other vulnerabilities. |
|
VCID-1sxg-r1bm-mygk
Aliases: CVE-2026-41408 GHSA-4g5x-2jfc-xm98 |
OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact. |
Affected by 97 other vulnerabilities. |
|
VCID-1wqp-rrgy-4ffe
Aliases: CVE-2026-41356 GHSA-rfqg-qgf8-xr9x |
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation. |
Affected by 97 other vulnerabilities. |
|
VCID-213t-kf4c-qfct
Aliases: CVE-2026-35663 GHSA-9hjh-fr4f-gxc4 |
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges. | There are no reported fixed by versions. |
|
VCID-24x5-nkt2-wbg7
Aliases: CVE-2026-43571 GHSA-82qx-6vj7-p8m2 |
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading. |
Affected by 42 other vulnerabilities. |
|
VCID-27ud-w29j-cbeq
Aliases: GHSA-f3h5-h452-vp3j |
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence ## Summary Nostr profile mutation routes allowed operator.write config persistence. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin authority. ## Technical Details The fix requires `operator.admin` scope for Nostr profile mutation routes. ## Fix The issue was fixed in #63553. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `6517c700de9bb0ee11b41ab625ef3b63d01b6083` - PR: #63553 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-2amg-4khy-1ufr
Aliases: CVE-2026-35640 GHSA-3h52-cx59-c456 |
OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection. |
Affected by 150 other vulnerabilities. |
|
VCID-2c8q-g4uw-mufb
Aliases: GHSA-v3qc-wrwx-j3pw |
OpenClaw: Agentic Consent Bypass — LLM Agent Can Silently Disable Exec Approval via `config.patch` ## Summary Agentic Consent Bypass: LLM Agent Can Silently Disable Exec Approval via `config.patch` ## Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Maintainers accepted this issue, fixed it in 76411b2afc4ae721e36c12e0ea24fd23e2fed61e on 2026-03-27, and that fix shipped in v2026.3.28, so normalize it as a fixed released draft rather than a close-by-trust-model call. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `76411b2afc4ae721e36c12e0ea24fd23e2fed61e` — 2026-03-27T09:42:15Z OpenClaw thanks @YLChen-007 for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-2d5p-gd51-3bfc
Aliases: CVE-2026-41913 GHSA-25wv-8phj-8p7r |
OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts to circumvent intended rate-limiting protections on Tailscale-capable paths. |
Affected by 0 other vulnerabilities. Affected by 81 other vulnerabilities. |
|
VCID-2d6p-8jxd-1yc4
Aliases: CVE-2026-33581 GHSA-v8wv-jg3q-qwpq |
OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory. |
Affected by 209 other vulnerabilities. |
|
VCID-2keu-vgjt-t7ba
Aliases: CVE-2026-35647 GHSA-9wqx-g2cw-vc7r |
OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message transmission. | There are no reported fixed by versions. |
|
VCID-2p3a-gmxy-37gx
Aliases: GHSA-92jp-89mq-4374 |
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials ## Summary Sandbox noVNC helper route exposed interactive browser session credentials. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.21 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox noVNC helper route could be reached without the intended bridge authentication, exposing an interactive browser session surface. ## Technical Details The fix gates the sandbox noVNC helper route behind bridge authentication. ## Fix The issue was fixed in #63882. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `8dfbf3268bd224b7377d1ecca77a445100746085` - PR: #63882 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-2t7c-q448-a7bp
Aliases: CVE-2026-41399 GHSA-f44p-c7w9-7xr7 |
Affected by 150 other vulnerabilities. |
|
|
VCID-2tsv-9m6k-1qdn
Aliases: CVE-2026-41341 GHSA-6336-qqw9-v6x6 |
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling. |
Affected by 97 other vulnerabilities. |
|
VCID-3f2g-c9me-nbdm
Aliases: CVE-2026-41329 GHSA-g5cg-8x5w-7jpm |
OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation. |
Affected by 97 other vulnerabilities. |
|
VCID-3f8g-rfq5-fbeb
Aliases: CVE-2026-41359 GHSA-767m-xrhc-fxm7 |
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms. |
Affected by 150 other vulnerabilities. |
|
VCID-3qf3-mq53-fbgp
Aliases: GHSA-57gh-m6rq-54cf |
OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration ## Summary Media Local Roots Self-Whitelisting in `appendLocalMediaParentRoots` Allows Model-Initiated Arbitrary Host File Read and Credential Exfiltration ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still self-whitelists media parent dirs in src/media/local-roots.ts, but only after config already permits tool-fs root expansion, so the impact is narrower than the default-critical framing. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `1ca4261d7e055d0be141ed79ebb1365d0fbc7364` — 2026-03-30T17:15:03+01:00 OpenClaw thanks @tdjackey for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-3swm-pxgf-sqbx
Aliases: CVE-2026-41390 GHSA-6pfc-6m7w-m8fx |
OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. Attackers can obtain user approval for one wrapped command to persist trust for wrapper binaries that execute different underlying programs. |
Affected by 150 other vulnerabilities. |
|
VCID-416m-tsuc-b3fg
Aliases: CVE-2026-41348 GHSA-rvvf-6vh3-9j43 |
Affected by 97 other vulnerabilities. |
|
|
VCID-45as-yk5j-dug2
Aliases: CVE-2026-41354 GHSA-rxmx-g7hr-8mx4 |
Affected by 80 other vulnerabilities. |
|
|
VCID-47ty-n3m4-nbbe
Aliases: CVE-2026-41344 GHSA-5h2w-qmfp-ggp6 |
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators. |
Affected by 150 other vulnerabilities. |
|
VCID-4kcu-akxv-hker
Aliases: CVE-2026-41335 GHSA-hr8g-2q7x-3f4w |
OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify system versions and agent configurations. |
Affected by 97 other vulnerabilities. |
|
VCID-4n9g-ymdq-6fhd
Aliases: GHSA-3gr8-2752-h46q |
Duplicate Advisory: OpenClaw's message tool media parameter bypasses tool policy filesystem isolation ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v8wv-jg3q-qwpq. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory. |
Affected by 209 other vulnerabilities. |
|
VCID-4qqv-57ws-4yb3
Aliases: CVE-2026-45002 GHSA-2xcp-x87w-q377 |
OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls. |
Affected by 12 other vulnerabilities. |
|
VCID-4srt-x1xb-xqa8
Aliases: CVE-2026-35620 GHSA-39mp-545q-w789 |
OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce operator.admin scope. Attackers with operator.write scope can invoke /send on|off|inherit to persistently mutate the current session's sendPolicy, and execute /allowlist add commands to modify config-backed allowFrom entries and pairing-store allowlist entries without proper admin authorization. |
Affected by 209 other vulnerabilities. |
|
VCID-4umw-rnj5-efad
Aliases: CVE-2026-41374 GHSA-hhff-fj5f-qg48 |
Affected by 97 other vulnerabilities. |
|
|
VCID-4yrw-qqvt-jkhn
Aliases: CVE-2026-41400 GHSA-2w79-r9g8-wmcr |
OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-start WebSocket frames to cause resource consumption and denial of service. |
Affected by 97 other vulnerabilities. |
|
VCID-54js-czwp-jkce
Aliases: CVE-2026-35641 GHSA-m3mh-3mpg-37hw |
OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can leverage git dependencies to trigger execution of arbitrary programs specified in the attacker-controlled .npmrc configuration file. |
Affected by 209 other vulnerabilities. |
|
VCID-563k-49s5-5fbp
Aliases: CVE-2026-41296 GHSA-9p3r-hh9g-5cmg |
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files. |
Affected by 97 other vulnerabilities. |
|
VCID-59an-tnp2-qfgg
Aliases: CVE-2026-35628 GHSA-vcx4-4qxg-mfp4 |
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks. | There are no reported fixed by versions. |
|
VCID-5c35-mfrw-r3fg
Aliases: CVE-2026-40045 GHSA-83f3-hh45-vfw9 |
OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup codes to redirect clients to malicious endpoints, disclosing plaintext gateway credentials. |
Affected by 80 other vulnerabilities. |
|
VCID-5hvu-e2e8-y7h6
Aliases: CVE-2026-41378 GHSA-gjm7-hw8f-73rq |
OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted agent.request dispatch to achieve remote code execution on the gateway. |
Affected by 97 other vulnerabilities. |
|
VCID-5jgs-gk2n-8fdk
Aliases: CVE-2026-33576 GHSA-v2v2-f783-358j |
OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected. |
Affected by 150 other vulnerabilities. |
|
VCID-5k9d-n6kg-g3bn
Aliases: CVE-2026-35667 GHSA-3298-56p6-rpw2 |
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where the !stop chat command uses an unpatched killProcessTree function from shell-utils.ts that sends SIGKILL immediately without graceful SIGTERM shutdown. Attackers can trigger process termination via the !stop command, causing data corruption, resource leaks, and skipped security-sensitive cleanup operations. |
Affected by 209 other vulnerabilities. |
|
VCID-5msy-va7d-jkhz
Aliases: CVE-2026-41364 GHSA-fv94-qvg8-xqpw |
OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files. Attackers can exploit this by uploading tar archives containing symlinks to escape the sandbox and overwrite files on the remote host. |
Affected by 97 other vulnerabilities. |
|
VCID-5szz-xqng-fffv
Aliases: GHSA-f693-58pc-2gfr |
OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts ## Summary Telegram legacy allowFrom migration fans default-account trust into all named accounts ## Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Shipped v2026.3.28 Telegram migration fans legacy default-account allowFrom trust into named accounts, which is an in-scope auth-boundary bug and low fits. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `d8c68c8d4265ea6fa5e8c5e056534c351bddef37` — 2026-03-31T12:51:38+01:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @smaeljaish771 for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-5uvn-998w-hfds
Aliases: CVE-2026-43534 GHSA-7g8c-cfr3-vqqr |
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context. |
Affected by 42 other vulnerabilities. |
|
VCID-5zh4-jn4s-akc9
Aliases: GHSA-xrq9-jm7v-g9h7 |
OpenClaw: Paired-device pairing actions were not limited to the caller device ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling. This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low. ## Fix Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests. Fix commit: - `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-65nh-ys6n-77ag
Aliases: CVE-2026-44118 GHSA-r6xh-pqhr-v4xh |
OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata. |
Affected by 3 other vulnerabilities. |
|
VCID-6ce4-zpfh-pybu
Aliases: CVE-2026-42431 GHSA-cmfr-9m2r-xwhq |
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations. |
Affected by 60 other vulnerabilities. |
|
VCID-6hav-n44a-dkeu
Aliases: GHSA-fwjq-xwfj-gv75 |
OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations ## Summary `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real on shipped v2026.3.22: non-sandboxed session_status skipped the shared visibility guard, but this is a same-agent session-policy bypass with unreleased fix, not a broader host-boundary break. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `4d369a3400dc9b737fbe8daa63f09d909ce7beb8` — 2026-03-30T16:48:12+02:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @tdjackey for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-6w88-6bts-sudv
Aliases: CVE-2026-43585 GHSA-xmxx-7p24-h892 |
OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access. |
Affected by 24 other vulnerabilities. |
|
VCID-7j27-ndq2-mfht
Aliases: CVE-2026-43576 GHSA-f7fh-qg34-x2xh |
OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks. |
Affected by 81 other vulnerabilities. |
|
VCID-7r7v-pvsj-uyaw
Aliases: CVE-2026-41333 GHSA-6p8r-6m93-557f |
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords. |
Affected by 97 other vulnerabilities. |
|
VCID-7rcc-8g5p-3ydv
Aliases: CVE-2026-41363 GHSA-qf48-qfv4-jjm9 |
OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during upload_image operations to read arbitrary files outside configured localRoots boundaries. |
Affected by 150 other vulnerabilities. |
|
VCID-7v88-gh66-ybgd
Aliases: CVE-2026-34503 GHSA-2pr2-hcv6-7gwv |
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection. |
Affected by 150 other vulnerabilities. |
|
VCID-812y-rb9q-m7eu
Aliases: GHSA-9p93-7j67-5pc2 |
OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding ## Summary Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding. ## Details The HTTP route previously treated any bearer-authenticated request as admin-eligible and could call without binding the action to requester ownership or caller-granted operator scopes. The flaw removes the bearer-token admin fallback and keeps remote session kills on the local-admin or requester-owned path only. | There are no reported fixed by versions. |
|
VCID-82aq-wxf5-aka8
Aliases: CVE-2026-43527 GHSA-53vx-pmqw-863c |
OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests. |
Affected by 30 other vulnerabilities. |
|
VCID-84ms-aakm-x3dc
Aliases: CVE-2026-42428 GHSA-3vvq-q2qc-7rmp |
OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment. |
Affected by 60 other vulnerabilities. |
|
VCID-86wa-z59e-xqgu
Aliases: CVE-2026-35623 GHSA-xq8g-hgh6-87hv |
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password guesses to the webhook endpoint to compromise authentication and gain unauthorized access. | There are no reported fixed by versions. |
|
VCID-8h62-5c5b-cbdt
Aliases: GHSA-72q8-jcmc-97wx |
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Feishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped `dmPolicy` enforcement for card actions, so a sender in a Feishu DM could trigger card-action flows that should have been blocked by a restrictive DM policy. The issue is limited to Feishu card-action handling. Severity is medium. ## Fix OpenClaw now resolves Feishu card-action chat type before dispatch, including API lookup when stored context is unavailable, and avoids falling through to group handling for DMs. Fix commit: - `90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-8h7u-pr1w-z7df
Aliases: CVE-2026-41915 GHSA-cm8v-2vh9-cxf3 |
OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR and related variables to redirect git operations and compromise repository integrity. |
Affected by 60 other vulnerabilities. |
|
VCID-8sps-h6k2-43c9
Aliases: CVE-2026-41391 GHSA-7ggg-pvrf-458v |
OpenClaw before 2026.3.31 fails to properly sanitize PIP_INDEX_URL and UV_INDEX_URL environment variables in host execution contexts, allowing attackers to redirect Python package-index traffic. Attackers can exploit this bypass to intercept or manipulate package management operations by injecting malicious index URLs through unsanitized environment variables. |
Affected by 97 other vulnerabilities. |
|
VCID-8x39-gcpu-yqd9
Aliases: CVE-2026-41301 GHSA-h43v-27wg-5mf9 |
OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairing entries and trigger pairing-reply attempts, consuming shared pairing capacity and triggering bounded relay and logging work on the Nostr channel. |
Affected by 97 other vulnerabilities. |
|
VCID-925q-556p-q3f6
Aliases: CVE-2026-41914 GHSA-3fv3-6p2v-gxwj |
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies. |
Affected by 60 other vulnerabilities. |
|
VCID-9pv2-ufhu-w7g1
Aliases: CVE-2026-41355 GHSA-42mx-vp8m-j7qh |
OpenClaw before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway startup by exploiting enabled workspace hooks. |
Affected by 150 other vulnerabilities. |
|
VCID-9u9n-s6sc-2bhw
Aliases: CVE-2026-44116 GHSA-2hh7-c75g-qj2r |
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources. |
Affected by 3 other vulnerabilities. |
|
VCID-9vbr-88pv-hudj
Aliases: GHSA-846p-hgpv-vphc |
OpenClaw: QQ Bot structured payloads could read arbitrary local files ## Summary Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host. ## Impact Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `2c45b06afdd6f7c621038b5419d8e661cff34a7f` — restrict QQ Bot structured payload local paths ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-9xv8-jtc8-ekcr
Aliases: CVE-2026-42423 GHSA-q2gc-xjqw-qp89 |
OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary. |
Affected by 60 other vulnerabilities. |
|
VCID-9zkk-mp8b-kbbg
Aliases: CVE-2026-43582 GHSA-xq94-r468-qwgj |
OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivot to internal resources via unallowlisted hostname URLs. |
Affected by 42 other vulnerabilities. |
|
VCID-a4pw-9uzw-47ge
Aliases: CVE-2026-42424 GHSA-qqq7-4hxc-x63c |
OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as trusted generated media. |
Affected by 60 other vulnerabilities. |
|
VCID-a7hc-rue8-13eb
Aliases: CVE-2026-33578 GHSA-63mg-xp9j-jfcm |
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions. |
Affected by 150 other vulnerabilities. |
|
VCID-a9q6-xpjm-6yfd
Aliases: CVE-2026-41403 GHSA-3xv9-89fm-7h4r |
OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic, circumventing intended remote viewer restrictions. |
Affected by 97 other vulnerabilities. |
|
VCID-aegc-6ab1-k7hk
Aliases: CVE-2026-40037 GHSA-qx8j-g322-qj6m |
OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins. |
Affected by 60 other vulnerabilities. |
|
VCID-afjz-us2v-k7ak
Aliases: CVE-2026-44112 GHSA-wppj-c6mr-83jj |
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root. |
Affected by 3 other vulnerabilities. |
|
VCID-agtk-z6cf-1bh7
Aliases: GHSA-w85g-3h6x-4xh2 |
OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS ## Summary Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Shipped v2026.3.28 image processing could fail open on oversized pixel counts and allow decompression-bomb DoS, an availability issue that is valid at medium. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `0ed4f8a72bb140045962e97ab01c94c076b758a4` — 2026-03-31T22:52:55+09:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-b3av-6zna-sugm
Aliases: CVE-2026-41300 GHSA-9f4w-67g7-mqwv |
OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having their discovered URL survive the trust decline process into manual prompts requiring operator acceptance. |
Affected by 97 other vulnerabilities. |
|
VCID-b3nv-4pe7-fyhj
Aliases: CVE-2026-33577 GHSA-2x4x-cc5g-qmmg |
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired nodes beyond their authorization level. |
Affected by 150 other vulnerabilities. |
|
VCID-bdx2-c7m3-xbfv
Aliases: CVE-2026-41394 GHSA-mhgq-xpfq-6r66 |
OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized operators. |
Affected by 97 other vulnerabilities. |
|
VCID-bfj1-xxkp-aubu
Aliases: CVE-2026-41294 GHSA-8rh7-6779-cjqq |
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during OpenClaw startup. |
Affected by 150 other vulnerabilities. |
|
VCID-bj4f-1qy4-33g7
Aliases: CVE-2026-41384 GHSA-vfw7-6rhc-6xxg |
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. Attackers can craft malicious workspace configs to inject arbitrary environment variables into the backend process spawning, enabling code execution or sensitive data exposure. |
Affected by 209 other vulnerabilities. |
|
VCID-bnzw-duu7-7fgu
Aliases: CVE-2026-33580 GHSA-9528-x887-j2fp |
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling. |
Affected by 150 other vulnerabilities. |
|
VCID-bqwy-vw6g-uudj
Aliases: GHSA-68v4-hmwv-f43h |
OpenClaw: Media download follows cross-origin redirects with Authorization headers intact ## Summary Media download follows cross-origin redirects with Authorization headers intact ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Shipped v2026.3.28 media downloads forwarded Authorization across cross-origin redirects, a real in-scope credential-leak class that fits medium. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `e704323ff388ed21f6963f9b8e0b1b8dfaaabc5f` — 2026-03-31T19:57:42+09:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-brzy-7832-5bhh
Aliases: CVE-2026-41404 GHSA-g374-mggx-p6xc |
OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation. Attackers can exploit this by declaring operator scopes on non-Control-UI clients, allowing self-declared scopes to persist on identity-bearing authentication paths and escalate privileges. |
Affected by 97 other vulnerabilities. |
|
VCID-bt5u-3vwp-rqcw
Aliases: GHSA-gm9m-x74r-8whg |
Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9528-x887-j2fp. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling. |
Affected by 150 other vulnerabilities. |
|
VCID-bvyn-2c5r-4bce
Aliases: CVE-2026-42427 GHSA-7437-7hg8-frrw |
Affected by 60 other vulnerabilities. |
|
|
VCID-c3fa-2u7p-pkgn
Aliases: CVE-2026-44109 GHSA-xh72-v6v9-mwhc |
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands. |
Affected by 24 other vulnerabilities. |
|
VCID-c3hg-hct8-eqbv
Aliases: CVE-2026-42436 GHSA-c4qm-58hj-j6pj |
OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation. |
Affected by 30 other vulnerabilities. |
|
VCID-c723-znew-ebhm
Aliases: CVE-2026-35619 GHSA-68f8-9mhj-h2mp |
OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility route, bypassing the stricter WebSocket RPC authorization checks. |
Affected by 209 other vulnerabilities. |
|
VCID-c7gn-3t5r-j7bu
Aliases: CVE-2026-41346 GHSA-wwfp-w96m-c6x8 |
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service. |
Affected by 97 other vulnerabilities. |
|
VCID-c8dt-7z8a-qufe
Aliases: CVE-2026-45003 GHSA-55cf-xx38-4p9p |
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files. |
Affected by 3 other vulnerabilities. |
|
VCID-c8mh-j256-j3aa
Aliases: GHSA-w9j9-w4cp-6wgr |
## Impact OpenClaw Host-Exec Environment Variable Injection. Host exec could inherit environment variables that influence interpreters, shells, or build tools. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.3.28` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @wsparks-vc for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-cbdg-vzrj-puc2
Aliases: CVE-2026-44995 GHSA-mj59-h3q9-ghfh |
OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes, enabling code injection when operators start sessions using those servers. |
Affected by 12 other vulnerabilities. |
|
VCID-cf4u-fs5p-3ue3
Aliases: CVE-2026-44117 GHSA-c4qg-j8jg-42q5 |
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests. |
Affected by 12 other vulnerabilities. |
|
VCID-cfj6-nuq4-wudw
Aliases: CVE-2026-42429 GHSA-4f8g-77mw-3rxc |
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that escalates identity-bearing operator.read requests to runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations. |
Affected by 60 other vulnerabilities. |
|
VCID-cj2h-dvh1-1bhx
Aliases: GHSA-j9pv-rrcj-6pfx |
OpenClaw: SSH-based sandbox backends pass unsanitized process.env to child processes ## Summary SSH-based sandbox backends pass unsanitized process.env to child processes ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped SSH sandbox paths leaked unsanitized env into local SSH child processes, but remote leakage needs non-default SSH env forwarding, so lower to low. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `cfe14459531e002a1c61c27d97ec7dc8aecddc1f` — 2026-03-30T20:05:57+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-crh9-tw4p-2bgr
Aliases: CVE-2026-43567 GHSA-jf25-7968-h2h5 |
OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system. |
Affected by 42 other vulnerabilities. |
|
VCID-d34s-z46v-gygk
Aliases: CVE-2026-43573 GHSA-527m-976r-jf79 |
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement. |
Affected by 42 other vulnerabilities. |
|
VCID-d8dy-y1mu-bqgc
Aliases: CVE-2026-35654 GHSA-rf6h-5gpw-qrgq |
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or reflection. |
Affected by 150 other vulnerabilities. |
|
VCID-djr4-azeh-mfap
Aliases: GHSA-jccr-rrw2-vc8h |
OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure ## Summary The jq safe-bin policy blocked explicit `env` usage but still allowed jq programs that accessed environment data through `$ENV`. ## Impact An operator-approved safe-bin jq command could disclose environment variables that the safe-bin policy was supposed to keep out of scope. ## Affected Component `src/infra/exec-safe-bin-semantics.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `78e2f3d66d` (`Exec: tighten jq safe-bin env checks`). Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-dtva-truu-4qac
Aliases: CVE-2026-41402 GHSA-hhq4-97c2-p447 |
OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver duplicate webhook messages to unintended targets. |
Affected by 97 other vulnerabilities. |
|
VCID-e327-pu9e-x7gh
Aliases: CVE-2026-44997 GHSA-q3jj-46pq-826r |
OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that bypass subagent-only constraints, potentially escalating privileges or accessing restricted resources. |
Affected by 3 other vulnerabilities. |
|
VCID-e351-abpr-7fhx
Aliases: GHSA-rf75-g96h-j3rm |
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references. ### Original Description OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked. |
Affected by 80 other vulnerabilities. |
|
VCID-e6cf-mh6h-pqgn
Aliases: GHSA-g86v-f9qv-rh6m |
OpenClaw SSRF guard misses four IPv6 special-use ranges ## Summary The SSRF/IP classifier treated several IPv6 special-use ranges as public and allowed fetches to proceed. ## Impact An attacker who controlled a fetched URL could target internal or non-routable IPv6 addresses that should have been blocked by the SSRF guard. ## Affected Component `src/shared/net/ip.ts, src/infra/net/ssrf.*` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `d61f8e5672` (`Net: block missing IPv6 special-use ranges`). OpenClaw thanks @nicky-cc of Tencent zhuque Lab [https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-e6q6-e2my-gfce
Aliases: GHSA-f6pf-4gjx-c94r |
OpenClaw: Media Parsing Path Traversal Leads to Arbitrary File Read ## Summary OpenClaw <= 2026.3.24 Media Parsing Path Traversal to Arbitrary File Read ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `4797bbc5b96e2cca5532e43b58915c051746fe37` — 2026-03-25T13:35:16-06:00 ## Release Process Note - The fix is already present in released version `2026.3.28`. |
Affected by 150 other vulnerabilities. |
|
VCID-e84v-kdtb-5ycs
Aliases: CVE-2026-41381 GHSA-cqgw-44wg-44rf |
OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers can send Discord voice ingress requests before channel allowlist authorization is performed, gaining unauthorized access to restricted voice channels. |
Affected by 97 other vulnerabilities. |
|
VCID-e8sz-63dk-tfbs
Aliases: CVE-2026-44991 GHSA-c28g-vh7m-fm7v |
OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands like /send, /config, or /debug on affected channels to bypass owner-only command authorization checks. |
Affected by 11 other vulnerabilities. |
|
VCID-eaeg-e381-nyh5
Aliases: CVE-2026-43533 GHSA-66r7-m7xm-v49h |
OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling. |
Affected by 42 other vulnerabilities. |
|
VCID-ed61-sus3-3yh9
Aliases: CVE-2026-41376 GHSA-rg8m-3943-vm6q |
OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root and reply context messages that should be filtered by sender allowlists, bypassing access controls. |
Affected by 97 other vulnerabilities. |
|
VCID-eefn-gpc1-mfdx
Aliases: GHSA-cwj3-vqpp-pmxr |
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes ## Summary The agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations. ## Impact A prompt-injected or otherwise compromised model running with access to the owner-only `gateway` tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven `gateway config.apply` and `gateway config.patch` now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked. ## Fix Commit(s) - `bceda6089aa7b3695cc7696b43c61ae3d01bb0ec` (`fix(gateway): fail closed on runtime config edits`) ## Severity Severity remains `high`. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation. |
Affected by 0 other vulnerabilities. |
|
VCID-eju9-rz5x-1bbk
Aliases: GHSA-ch86-pxr9-j9h9 |
Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption. |
Affected by 80 other vulnerabilities. |
|
VCID-epaf-29e7-kue8
Aliases: CVE-2026-35668 GHSA-hr5v-j9h9-xjhg |
OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots. |
Affected by 209 other vulnerabilities. |
|
VCID-esve-n4ww-rudc
Aliases: CVE-2026-41377 GHSA-cwq8-6f96-g3q4 |
OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings. |
Affected by 97 other vulnerabilities. |
|
VCID-f22e-sy58-g7fb
Aliases: CVE-2026-43569 GHSA-939r-rj45-g2rj |
OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent. |
Affected by 59 other vulnerabilities. |
|
VCID-f5q3-7bm2-1kgw
Aliases: CVE-2026-34504 GHSA-qxgf-hmcj-3xw3 |
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline. |
Affected by 150 other vulnerabilities. |
|
VCID-f925-x5qa-buav
Aliases: CVE-2026-42439 GHSA-rj2p-j66c-mgqh |
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations. |
Affected by 42 other vulnerabilities. |
|
VCID-f95y-gnx3-wydp
Aliases: CVE-2026-42433 GHSA-7jp6-r74r-995q |
OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner message-tool runs. |
Affected by 42 other vulnerabilities. |
|
VCID-fcfw-yctj-v3cy
Aliases: CVE-2026-42435 GHSA-j6c7-3h5x-99g9 |
OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and PS4, affecting execution semantics and security controls. |
Affected by 37 other vulnerabilities. |
|
VCID-fgkb-fmuq-wffh
Aliases: CVE-2026-45004 GHSA-r39h-4c2p-3jxp |
OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious extensions/<plugin>/setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory. |
Affected by 0 other vulnerabilities. |
|
VCID-fzag-upa9-n7cr
Aliases: GHSA-rm5c-4rmf-vvhw |
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses ## Summary Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Released workspace-only apply_patch remove and mkdir operations were still check-then-act, but the draft overstates scope by bundling broader edit paths; keep it open but narrow it to the actual sandbox-workspace mutation boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `32a4a47d602e0618f87b3e59f94d8c142767f860` — 2026-03-30T16:49:49+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-g2hf-mzjs-2fbn
Aliases: GHSA-f275-5h5c-5wg5 |
Duplicate Advisory: OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hc5h-pmr3-3497. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts. |
Affected by 150 other vulnerabilities. |
|
VCID-gd62-paxx-abgy
Aliases: CVE-2026-41916 GHSA-68x5-xx89-w9mm |
OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations. |
Affected by 60 other vulnerabilities. |
|
VCID-gh64-hwfz-p3ep
Aliases: CVE-2026-41380 GHSA-p4x4-2r7f-wjxg |
Affected by 150 other vulnerabilities. |
|
|
VCID-h5h5-c9az-4be3
Aliases: CVE-2026-41396 GHSA-qcj9-wwgw-6gm8 |
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin trust root directory. |
Affected by 97 other vulnerabilities. |
|
VCID-h6wv-azua-wkgw
Aliases: CVE-2026-34425 GHSA-fvx6-pj3r-5q4q |
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked. |
Affected by 80 other vulnerabilities. |
|
VCID-h77b-c2kq-8kej
Aliases: CVE-2026-34511 GHSA-9jpj-g8vv-j5mf |
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption. |
Affected by 80 other vulnerabilities. |
|
VCID-h78a-py8h-ekgj
Aliases: CVE-2026-43584 GHSA-vfp4-8x56-j7c5 |
OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity. |
Affected by 42 other vulnerabilities. |
|
VCID-hbkd-8rx2-4qb8
Aliases: GHSA-7jm2-g593-4qrc |
OpenClaw: Agent gateway config mutations could change protected operator settings ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings. This is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium. ## Fix OpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching. Fix commit: - `fe30b31a97a917ecc6e92f6c85378b6b20352422` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-hh2g-pzbh-13ax
Aliases: CVE-2026-41406 GHSA-877v-w3f5-3pcq |
Affected by 97 other vulnerabilities. |
|
|
VCID-hrnb-5t6m-jkaq
Aliases: CVE-2026-41910 GHSA-vc32-h5mq-453v |
OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model. |
Affected by 60 other vulnerabilities. |
|
VCID-j13w-x4ky-8yhd
Aliases: CVE-2026-41332 GHSA-m866-6qv5-p2fg |
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files to execute untrusted code or load malicious credentials. |
Affected by 150 other vulnerabilities. |
|
VCID-jarm-du2f-1uef
Aliases: CVE-2026-43529 GHSA-gj9q-8w99-mp8j |
OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and preflight read, causing the validator to inspect a different file identity than the one that passed the initial boundary check. |
Affected by 42 other vulnerabilities. |
|
VCID-jdbz-6b2q-xyav
Aliases: GHSA-93rg-2xm5-2p9v |
OpenClaw's Gateway Control UI bootstrap config required Gateway auth ## Summary Gateway Control UI bootstrap config required Gateway auth. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions. ## Fix The bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling. ## Fix Commit(s) - 2321d67263bc710e357644d59f746b08d891051b ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-jj5g-2uaq-tua3
Aliases: CVE-2026-41369 GHSA-cg7q-fg22-4g98 |
OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system configurations and compromise host execution integrity. |
Affected by 97 other vulnerabilities. |
|
VCID-jnbs-cnfs-nkb5
Aliases: CVE-2026-41347 GHSA-mhr7-2xmv-4c4q |
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints. |
Affected by 97 other vulnerabilities. |
|
VCID-jwnv-j7hq-sbh9
Aliases: GHSA-f934-5rqf-xx47 |
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths ## Summary The QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set. ## Impact When the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient. Verified in `v2026.4.15`: - `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path. - `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-jzvr-jz7v-q3h1
Aliases: CVE-2026-41405 GHSA-p464-m8x6-vhv8 |
Affected by 97 other vulnerabilities. |
|
|
VCID-kact-h3hk-d7eg
Aliases: GHSA-525j-hqq2-66r4 |
OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0 ## Summary Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intended local/sandbox source range. ## Technical Details The fix enforces CDP source-range restriction by default and avoids broad `0.0.0.0` exposure unless explicitly configured. ## Fix The issue was fixed in #61404. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `fbf11ebdb7110632f93926d0ac7b48f04cb44d77` - PR: #61404 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-kdn3-sa62-4bef
Aliases: CVE-2026-41388 GHSA-3pm9-5j7m-59vc |
OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate revoked Tlon configuration from file state, bypassing intended revocation controls. |
Affected by 97 other vulnerabilities. |
|
VCID-kfmd-usy4-afbu
Aliases: CVE-2026-42430 GHSA-w8g9-x8gx-crmm |
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF protections. |
Affected by 60 other vulnerabilities. |
|
VCID-kkqe-kjun-mufe
Aliases: CVE-2026-43526 GHSA-2767-2q9v-9326 |
OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel. |
Affected by 37 other vulnerabilities. |
|
VCID-kkw6-d2rs-9uh3
Aliases: GHSA-mw7w-g3mg-xqm7 |
OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events ## Summary BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details BlueBubbles group reaction events previously bypassed `requireMention` and still enqueued agent-visible system events in groups that were supposed to stay mention-gated. Commit `f8c98630785288cc1f1d0893503ef3b653a3cede` applies the reaction path to the same mention gate as normal group messages. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `f8c98630785288cc1f1d0893503ef3b653a3cede`. ## Fix Commit(s) - `f8c98630785288cc1f1d0893503ef3b653a3cede` | There are no reported fixed by versions. |
|
VCID-kprt-1prq-n7bt
Aliases: CVE-2026-41330 GHSA-9gp8-hjxr-6f34 |
OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment variables to circumvent proxy settings, TLS verification, Docker restrictions, and Git TLS enforcement. |
Affected by 97 other vulnerabilities. |
|
VCID-kxyq-t74z-p3gf
Aliases: CVE-2026-41385 GHSA-jjw7-3vjf-fg5j |
Affected by 97 other vulnerabilities. |
|
|
VCID-m3h2-6en6-2ye4
Aliases: CVE-2026-35657 GHSA-5jvj-hxmh-6h6j |
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint. |
Affected by 0 other vulnerabilities. Affected by 194 other vulnerabilities. |
|
VCID-m4qc-8d4v-dbe2
Aliases: CVE-2026-41295 GHSA-2qrv-rc5x-2g2h |
OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process code execution before the plugin is explicitly trusted. |
Affected by 80 other vulnerabilities. |
|
VCID-m8ba-t6kp-3kcx
Aliases: CVE-2026-41397 GHSA-cwf8-44x6-32c2 |
OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse directory boundaries through symlink exploitation during file synchronization operations. Remote attackers can bypass sandbox restrictions by crafting malicious symlinks in mirror sync operations to access arbitrary files outside intended boundaries. |
Affected by 97 other vulnerabilities. |
|
VCID-mdss-pw9y-7kh6
Aliases: GHSA-8f9r-gr6r-x63q |
Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-3h52-cx59-c456. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection. |
Affected by 150 other vulnerabilities. |
|
VCID-msr2-gsjh-1bat
Aliases: CVE-2026-41375 GHSA-h2v7-xc88-xx8c |
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for external channels. Attackers can bypass authentication restrictions to arm or disarm phone channels without proper administrative privileges. |
Affected by 150 other vulnerabilities. |
|
VCID-mzpq-bw9z-w7dm
Aliases: CVE-2026-43570 GHSA-35mw-5vvr-vrxc |
OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory. |
Affected by 81 other vulnerabilities. |
|
VCID-n3c5-p4ah-e7e9
Aliases: CVE-2026-41336 GHSA-3qpv-xf3v-mm45 |
Affected by 97 other vulnerabilities. |
|
|
VCID-na8n-2vex-zfdb
Aliases: CVE-2026-33579 GHSA-hc5h-pmr3-3497 |
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts. |
Affected by 150 other vulnerabilities. |
|
VCID-nfvd-f7cc-tkhm
Aliases: GHSA-35cq-wv6v-88xf |
Duplicate Advisory: OpenClaw affected by SSRF via unguarded image download in fal provider ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qxgf-hmcj-3xw3. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline. |
Affected by 150 other vulnerabilities. |
|
VCID-nkkj-ue4v-3ueh
Aliases: CVE-2026-42421 GHSA-5h3f-885m-v22w |
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions. |
Affected by 60 other vulnerabilities. |
|
VCID-np53-nrkf-uyhe
Aliases: CVE-2026-35651 GHSA-4hmj-39m8-jwc7 |
OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling attackers to manipulate displayed information through malicious tool titles. |
Affected by 150 other vulnerabilities. |
|
VCID-pecx-xt79-1kht
Aliases: CVE-2026-41303 GHSA-98hh-7ghg-x6rq |
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord.execApprovals.approvers allowlist and approve pending host execution requests. |
Affected by 150 other vulnerabilities. |
|
VCID-pu7g-crjz-27c6
Aliases: GHSA-w6wx-jq6j-6mcj |
OpenClaw: pnpm dlx approvals did not bind local script operands ## Summary Before OpenClaw 2026.4.2, `pnpm dlx` approval planning did not bind local script operands the same way as related `pnpm exec` flows. A local script approved through a `pnpm dlx` path could be replaced before execution without invalidating the approval. ## Impact An operator could approve a benign local script and then execute modified script contents through the still-valid approval plan. This was an approval-integrity bug in the node-host command-planning path. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `176c059b05357df1bc09d4328a2380670859eeff` — bind local scripts in `pnpm dlx` approval plans ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @Kazamayc for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-pyut-62r7-6fgp
Aliases: CVE-2026-42420 GHSA-ccx3-fw7q-rr2r |
Affected by 60 other vulnerabilities. |
|
|
VCID-q6h5-e93e-j3d7
Aliases: GHSA-59xc-5v89-r7pr |
Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests. |
Affected by 150 other vulnerabilities. |
|
VCID-qcrw-m7k3-ubgm
Aliases: GHSA-5r8f-96gm-5j6g |
OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset` ## Summary The `chat.send` path reused command authorization to trigger `/reset` session rotation even though direct session reset is an admin-only control-plane operation. ## Impact A write-scoped gateway caller could rotate a target session, archive the prior transcript state, and force a new session id without admin scope. ## Affected Component `src/gateway/server-methods/chat.ts, src/auto-reply/reply/session.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `be00fcfccb` (`Gateway: align chat.send reset scope checks`). |
Affected by 150 other vulnerabilities. |
|
VCID-qmnc-zfxh-87g4
Aliases: CVE-2026-41912 GHSA-vr5g-mmx7-h897 |
Affected by 60 other vulnerabilities. |
|
|
VCID-qpq9-cabj-a7hj
Aliases: CVE-2026-41908 GHSA-v8qf-fr4g-28p2 |
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots. |
Affected by 12 other vulnerabilities. |
|
VCID-qqsk-1mk9-pygw
Aliases: CVE-2026-44113 GHSA-5h3g-6xhh-rg6p |
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents. |
Affected by 3 other vulnerabilities. |
|
VCID-qqz4-uy33-qya2
Aliases: CVE-2026-41911 GHSA-5fc7-f62m-8983 |
OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and upload_image endpoints to access files beyond the intended workspace-only filesystem policy. |
Affected by 60 other vulnerabilities. |
|
VCID-qt48-xw6x-nudj
Aliases: GHSA-89hr-6x2p-8xjv |
Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection. |
Affected by 150 other vulnerabilities. |
|
VCID-qt8t-f9xc-qbgp
Aliases: GHSA-pg8g-f2hf-x82m |
Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qx8j-g322-qj6m. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins. |
Affected by 60 other vulnerabilities. |
|
VCID-qujt-gddx-ckbm
Aliases: CVE-2026-42422 GHSA-whf9-3hcx-gq54 |
OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval. |
Affected by 60 other vulnerabilities. |
|
VCID-qx6n-dk9c-8yd3
Aliases: GHSA-vqvg-86cc-cg83 |
OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement > Fixed in OpenClaw 2026.3.24, the current shipping release. **Title** Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement **CWE** CWE-862 Missing Authorization **CVSS v3.1** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Base score: **6.5 (Medium)** **Severity Assessment** Medium. This is a real authorization flaw in OpenClaw’s internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with `operator.write`. **Impact** An authenticated internal Gateway caller limited to `operator.write` can perform state-changing `/allowlist` actions without `operator.admin`, even though comparable mutating internal chat commands already require `operator.admin`. The reachable effects are persistent changes to config-backed `allowFrom` entries and pairing-store-backed allowlist entries. This is not a semantic-modeling complaint and not a generic “trusted operator can do things” claim. It is a missing authorization check inside OpenClaw’s own internal scope model, where peer mutating command surfaces already distinguish `operator.write` from `operator.admin`. **Affected Component** Verified against the latest published GitHub release tag `v2026.3.23` (`ccfeecb6887cd97937e33a71877ad512741e82b2`), published `2026-03-23T23:15:50Z`. Exact vulnerable path on the shipped tag: - `src/auto-reply/reply/commands-allowlist.ts:251-254` - `/allowlist` authorization uses only `rejectUnauthorizedCommand(...)`. - `src/auto-reply/reply/commands-allowlist.ts:386-524` - mutating config and pairing-store writes happen here, but there is no `requireGatewayClientScopeForInternalChannel(..., operator.admin, ...)`. Reachability and scope model: - `src/gateway/method-scopes.ts:94-109` - `chat.send` is a write-scoped method. - `src/gateway/server.chat.gateway-server-chat.test.ts:539-559` - existing runtime coverage proves `chat.send` routes slash commands without an agent run. - `src/auto-reply/command-auth.ts:574-577` - internal callers become `senderIsOwner` only when `GatewayClientScopes` includes `operator.admin`. Comparable internal mutating command paths already enforce `operator.admin`: - `src/auto-reply/reply/commands-config.ts:64-73` - `src/auto-reply/reply/commands-mcp.ts:89-96` - `src/auto-reply/reply/commands-plugins.ts:387-394` - `src/auto-reply/reply/commands-acp.ts:98-106` Version history: - Introduced by commit `555b2578a8cc6e1b93f717496935ead97bfbed8b` (`feat: add /allowlist command`) - Earliest released affected tag found: `v2026.1.20` - Latest released affected tag verified: `v2026.3.23` **Technical Reproduction** 1. Check out the shipped release tag `v2026.3.23`. 2. Use an internal command context with: - `Provider = "webchat"` - `Surface = "webchat"` - `GatewayClientScopes = ["operator.write"]` - `params.command.channel = "webchat"` 3. Route a slash command through `chat.send`. 4. Execute either of these mutating commands: - `/allowlist add dm channel=telegram 789` - `/allowlist add dm --store channel=telegram 789` 5. Confirm the command context is authorized but not owner-equivalent: - `isAuthorizedSender === true` - `senderIsOwner === false` 6. Observe that the commands still succeed and perform persistent writes. **Demonstrated Impact** The vulnerable handler performs real state mutation for a low-scope internal caller: - Config-backed mutation path: - `src/auto-reply/reply/commands-allowlist.ts:398-503` - reads the config snapshot, applies the edit, validates, and writes the updated config to disk. - Store-backed mutation path: - `src/auto-reply/reply/commands-allowlist.ts:479-485` - `src/auto-reply/reply/commands-allowlist.ts:513-518` - updates the pairing-store allowlist without any admin-scope gate. The result is successful persistence, not just a misleading success message. **Environment** - Product: OpenClaw - Verified shipped tag: `v2026.3.23` - Shipped tag commit: `ccfeecb6887cd97937e33a71877ad512741e82b2` - Published GitHub release time: `2026-03-23T23:15:50Z` - Verification date: `2026-03-24` **Duplicate Check** This is not a duplicate of: - `GHSA-pjvx-rx66-r3fg` - that advisory covered cross-account scoping in `/allowlist ... --store`, not missing internal `operator.admin` enforcement. - `GHSA-hfpr-jhpq-x4rm` - that advisory covered `/config` writes through `chat.send`, not `/allowlist`. - `GHSA-3w6x-gv34-mqpf` - same authorization class, but different command path (`/acp`, not `/allowlist`). **In Scope Check** This report is in scope under `SECURITY.md` because: - it does **not** rely on adversarial operators sharing one gateway host or config; - it does **not** target the HTTP compatibility endpoints that `SECURITY.md` explicitly treats as full operator-access surfaces; - it demonstrates a real authorization mismatch inside OpenClaw’s own internal control-plane scope model (`operator.write` vs `operator.admin`); - peer mutating internal chat commands already enforce `operator.admin`, so this is not a request for a new boundary but a missing check on an existing one. This is therefore a concrete authorization bug, not a trusted-operator hardening suggestion. **Remediation Advice** 1. Add `requireGatewayClientScopeForInternalChannel(..., allowedScopes: ["operator.admin"], ...)` to the mutating internal `/allowlist` paths. 2. Add regression coverage for both mutation modes: - internal `operator.write` must be rejected; - internal `operator.admin` must be allowed. 3. Cover both config-backed and store-backed writes. 4. Audit other mutating internal chat-command paths for the same missing-scope pattern. |
Affected by 209 other vulnerabilities. |
|
VCID-r75w-jwbm-dyew
Aliases: CVE-2026-44999 GHSA-57r2-h2wj-g887 |
OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering untrusted events as trusted System events. |
Affected by 12 other vulnerabilities. |
|
VCID-rffw-fgxm-1ue9
Aliases: CVE-2026-41398 GHSA-4p4f-fc8q-84m3 |
Affected by 80 other vulnerabilities. |
|
|
VCID-rm55-3hs1-23b4
Aliases: CVE-2026-42432 GHSA-5wj5-87vq-39xm |
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system. |
Affected by 60 other vulnerabilities. |
|
VCID-rr2j-c7md-57gj
Aliases: CVE-2026-43535 GHSA-jwrq-8g5x-5fhm |
OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions. |
Affected by 30 other vulnerabilities. |
|
VCID-s45u-hr8t-gffq
Aliases: CVE-2026-35617 GHSA-52q4-3xjc-6778 |
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources. |
Affected by 150 other vulnerabilities. |
|
VCID-sbxm-vwhw-9fhd
Aliases: GHSA-x3h8-jrgh-p8jx |
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs ## Summary Exec allowlist analysis rejects shell expansion in unquoted heredocs ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact An allowlisted command containing an unquoted heredoc could hide shell expansion in the heredoc body. That could make the approved command text look safer than what the shell would evaluate at runtime. ## Fix The exec command analyzer now tracks heredoc bodies, rejects unquoted heredoc expansion tokens and continuation-splice bypasses, and preserves quoted heredocs and literal safe text. ## Fix Commit(s) - b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-sqr6-smfg-uqdy
Aliases: CVE-2026-41298 GHSA-5hff-46vh-rxmw |
OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by sending requests to this endpoint, bypassing authorization controls. |
Affected by 80 other vulnerabilities. |
|
VCID-sqxg-9akn-j7az
Aliases: CVE-2026-41407 GHSA-jj6q-rrrf-h66h |
OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handling for shared secrets. |
Affected by 80 other vulnerabilities. |
|
VCID-svyq-6gm7-efez
Aliases: CVE-2026-35646 GHSA-mf5g-6r6f-ghhm |
OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests. |
Affected by 150 other vulnerabilities. |
|
VCID-t14t-27xx-83g3
Aliases: CVE-2026-41358 GHSA-qm77-8qjp-4vcm |
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context. |
Affected by 80 other vulnerabilities. |
|
VCID-t2b3-n8xb-k3fn
Aliases: CVE-2026-41372 GHSA-fh32-73r9-rgh5 |
OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state. |
Affected by 80 other vulnerabilities. |
|
VCID-t7nn-6cy7-2yak
Aliases: GHSA-gfg9-5357-hv4c |
OpenClaw: Webchat audio embedding could read local files without local-root containment ## Impact OpenClaw deployments before `2026.4.15` could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths. If an attacker could influence an agent or tool-produced `ReplyPayload.mediaUrl`, the webchat audio embedding helper could resolve an absolute local path or `file:` URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check. The impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.14` - Patched version: `2026.4.15` The latest public release, `2026.4.21`, also contains the fix. ## Patches The public fix threads the applicable local media roots into the webchat audio embedding path and calls `assertLocalMediaAllowed` before local audio content is read. Current `main` also includes an additional `trustedLocalMedia` gate so untrusted model/tool payloads cannot opt into local audio embedding. Fix commit: - `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` ## Workarounds Upgrade to `openclaw@2026.4.15` or later. The latest public release, `2026.4.21`, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs. ## Credits OpenClaw thanks @zsxsoft for reporting. |
Affected by 24 other vulnerabilities. |
|
VCID-tegh-qc36-ufha
Aliases: GHSA-qrp5-gfw2-gxv4 |
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Bundled MCP and LSP tools could be appended to the agent's effective tool set after the normal tool-policy pipeline had already filtered core tools. If an operator configured a restrictive policy, such as a tool profile, explicit allow/deny list, owner-only tool restriction, sandbox tool policy, or subagent tool policy, a bundled MCP/LSP tool could remain available even though the same policy would have denied it. The issue required a configured bundled MCP or LSP tool source and an operator policy that should have restricted that tool. This was a local agent policy-enforcement bypass, not an unauthenticated remote gateway compromise. Severity is medium. ## Fix OpenClaw now applies a final effective tool policy pass to bundled MCP/LSP tools before merging them into the tool set used by normal runs and compaction. The pass covers profile policy, provider profile policy, global/agent/group policies, owner-only filtering, sandbox tool policy, and subagent tool policy. Fix commit: - `0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-tg1c-vs9g-8ya8
Aliases: GHSA-jp4j-q5fc-58gv |
OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement ## Summary Discord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages. ## Impact Users could trigger privileged component actions from contexts that should have been blocked by Discord channel policy. ## Affected Component `extensions/discord/src/monitor/agent-components.ts` ## Fixed Versions - Affected: `>= 2026.2.14, <= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `511093d4b3` (`Discord: apply component interaction policy gates`). |
Affected by 150 other vulnerabilities. |
|
VCID-tgnw-vne2-2kc1
Aliases: GHSA-qmwg-qprg-3j38 |
OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads ## Summary Browser interaction routes could pivot into local CDP and regain file reads. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact Browser act/evaluate interactions could trigger navigation into the local CDP origin and then create or read disallowed `file://` pages despite direct navigation guards. ## Technical Details The fix re-checks browser URLs after interaction-driven navigations and blocks targets that violate the configured navigation policy. ## Fix The issue was fixed in #63226. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `5f5b3d733bdd791cb457f838514179e1288b10b3` - PR: #63226 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue. |
Affected by 59 other vulnerabilities. |
|
VCID-tm7a-1rzn-5yak
Aliases: GHSA-gfmx-pph7-g46x |
OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade ## Impact Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @tdjackey for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-tm94-jwz9-kkd6
Aliases: CVE-2026-41351 GHSA-37v6-fxx8-xjmx |
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature verification. |
Affected by 97 other vulnerabilities. |
|
VCID-ts15-y9qj-13e9
Aliases: CVE-2026-32846 GHSA-hggm-x7r9-mm7v |
OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys. |
Affected by 150 other vulnerabilities. |
|
VCID-ttg2-j7x3-m7de
Aliases: CVE-2026-41342 GHSA-3cw3-5vxw-g2h3 |
Affected by 150 other vulnerabilities. |
|
|
VCID-tyz3-w2hm-gqg7
Aliases: CVE-2026-41393 GHSA-q9w8-cf67-r238 |
OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint access can exfiltrate operator credentials through DNS steering manipulation. |
Affected by 97 other vulnerabilities. |
|
VCID-ub5p-bp37-hff5
Aliases: CVE-2026-35621 GHSA-94pw-c6m8-p9p9 |
OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal command-authorized context and persist channel allowFrom and groupAllowFrom policy changes reserved for operator.admin scope. |
Affected by 209 other vulnerabilities. |
|
VCID-uxkz-gf1t-kua1
Aliases: GHSA-8j7f-g9gv-7jhc |
Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rhfg-j8jq-7v2h. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources. |
Affected by 150 other vulnerabilities. |
|
VCID-v3g3-zvr2-3khy
Aliases: GHSA-fqrj-m88p-qf3v |
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets ## Summary Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if `event_name` and `message_id` matched. ## Impact An attacker who controlled one authenticated Zalo webhook path in a multi-account gateway deployment could cause silent message suppression on a different Zalo account sharing that gateway. This was an availability issue; it did not provide cross-account authentication or data access. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.2.19, < 2026.3.31` - Patched versions: `>= 2026.3.31` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` — scope webhook replay dedupe per target - `7cea7c29705b188b464cc9cdc107c275b94b2a72` — follow-up hardening to scope replay dedupe by path and account ## Release Process Note The initial fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains follow-up hardening for the same surface. Thanks @nexrin for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-v3u2-k16m-9kdp
Aliases: CVE-2026-43528 GHSA-8372-7vhw-cm6q |
OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted. |
Affected by 30 other vulnerabilities. |
|
VCID-v6e8-g5w8-k3ax
Aliases: GHSA-j4c5-89f5-f3pm |
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Browser profile creation normalized `cdpUrl` values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a private-network or metadata endpoint and later be probed by normal profile status flows. Default trusted-operator browser behavior allows private-network CDP endpoints, so this only affected strict-mode deployments. Severity is low. ## Fix OpenClaw now checks CDP endpoints against the browser SSRF policy during profile creation and reachability operations. Fix commits: - `1fd049e3074cac72f6734a7fe88468c84f5f8bd7` - `e90c89cf8b1459f2aa1f3a665be67392b6c03fdf` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-vh9v-4d1k-5ygk
Aliases: CVE-2026-35669 GHSA-qm2m-28pf-hgjw |
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform unauthorized administrative actions. | There are no reported fixed by versions. |
|
VCID-vpee-kdhr-xuf3
Aliases: CVE-2026-41373 GHSA-g8xp-qx39-9jq9 |
Affected by 97 other vulnerabilities. |
|
|
VCID-vrd4-ue7s-queb
Aliases: CVE-2026-41379 GHSA-3q42-xmxv-9vfr |
Affected by 150 other vulnerabilities. |
|
|
VCID-w49b-cbcg-abat
Aliases: CVE-2026-35653 GHSA-xp9r-prpg-373r |
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries. |
Affected by 209 other vulnerabilities. |
|
VCID-wje6-u94m-h3d5
Aliases: CVE-2026-41302 GHSA-9q7v-8mr7-g23p |
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch() calls to access internal resources or interact with external services on behalf of the affected system. |
Affected by 97 other vulnerabilities. |
|
VCID-wks9-hb2x-f7et
Aliases: CVE-2026-41382 GHSA-x2m8-53h4-6hch |
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stale-role validation gaps and improper channel name validation to gain unauthorized access to restricted voice channels. |
Affected by 97 other vulnerabilities. |
|
VCID-wwx4-qepr-6ue8
Aliases: CVE-2026-41383 GHSA-m34q-h93w-vg5x |
OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. Attackers can manipulate these OpenShell config paths to cause mirror sync operations to delete unintended remote directory contents and replace them with uploaded workspace data. |
Affected by 80 other vulnerabilities. |
|
VCID-x5a1-bdbv-2fbv
Aliases: CVE-2026-43531 GHSA-7wv4-cc7p-jhxc |
OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior. |
Affected by 59 other vulnerabilities. |
|
VCID-xdcp-b977-e3bm
Aliases: CVE-2026-41392 GHSA-wpc6-37g7-8q4w |
OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options like --rcfile, --init-file, and --startup-file to load attacker-chosen initialization files while bypassing exec allowlist matching restrictions. |
Affected by 97 other vulnerabilities. |
|
VCID-xhej-v61s-vkht
Aliases: CVE-2026-42426 GHSA-67mf-f936-ppxf |
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes. |
Affected by 60 other vulnerabilities. |
|
VCID-xsbb-51rw-p7e8
Aliases: CVE-2026-41365 GHSA-chfm-xgc4-47rj |
OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions. |
Affected by 97 other vulnerabilities. |
|
VCID-xttb-bfmd-uyfh
Aliases: CVE-2026-43580 GHSA-536q-mj95-h29h |
OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation. |
Affected by 42 other vulnerabilities. |
|
VCID-xv1n-1wbt-8ydw
Aliases: CVE-2026-41337 GHSA-89r3-6x4j-v7wf |
OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate callback origins during the replay process. |
Affected by 97 other vulnerabilities. |
|
VCID-xw16-zng9-bug2
Aliases: CVE-2026-35629 GHSA-rhfg-j8jq-7v2h |
OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources. |
Affected by 150 other vulnerabilities. |
|
VCID-y5fh-j64j-8ygt
Aliases: CVE-2026-41299 GHSA-6xg4-82hv-cp6f |
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket handshake rather than verified authorization state. Authenticated operator clients can spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge by manipulating client metadata during connection. |
Affected by 150 other vulnerabilities. |
|
VCID-y5k6-v1cj-cqg6
Aliases: CVE-2026-45005 GHSA-q8ff-7ffm-m3r9 |
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart. |
Affected by 0 other vulnerabilities. |
|
VCID-y922-jg2a-6fff
Aliases: CVE-2026-41331 GHSA-m6fx-m8hc-572m |
OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enforcement to cause resource or billing consumption by initiating audio preflight operations before authorization checks are applied. |
Affected by 97 other vulnerabilities. |
|
VCID-y927-u929-17bd
Aliases: GHSA-jf56-mccx-5f3f |
OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel ## Impact Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel. An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @tdjackey for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-ye9d-bzdx-bbeq
Aliases: CVE-2026-35665 GHSA-w6m8-cqvj-pg5v |
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries. |
Affected by 209 other vulnerabilities. |
|
VCID-yjb1-4y48-a7g6
Aliases: GHSA-98ch-45wp-ch47 |
OpenClaw: Windows-compatible env override keys could bypass system.run approval binding ## Summary Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time. ## Impact An approved command could run with attacker-chosen environment overrides that were not represented in the approval binding. This created an approval-integrity gap for affected host-exec flows. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d` — align approval binding with execution-time env-key normalization ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination. |
Affected by 80 other vulnerabilities. |
|
VCID-yqjc-khg8-uyb4
Aliases: CVE-2026-44114 GHSA-hxvm-xjvf-93f3 |
OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows. |
Affected by 12 other vulnerabilities. |
|
VCID-ytvf-tpaj-zyet
Aliases: GHSA-q2qc-744p-66r2 |
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility ## Summary `session_status` sessionId resolution bypasses sandboxed session-tree visibility ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `>= 2026.3.11, <= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details `session_status` previously resolved a `sessionId` to a canonical session key after early visibility checks, letting sandboxed children reach parent or sibling sessions that were blocked by explicit `sessionKey`. Commit `d9810811b6c3c9266d7580f00574e5e02f7663de` enforces visibility after `sessionId` resolution so sandboxed callers cannot escape their session tree. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `d9810811b6c3c9266d7580f00574e5e02f7663de`. ## Fix Commit(s) - `d9810811b6c3c9266d7580f00574e5e02f7663de` |
Affected by 150 other vulnerabilities. |
|
VCID-z438-846q-27f3
Aliases: CVE-2026-41297 GHSA-vjx8-8p7h-82gr |
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated redirects. The marketplace.ts module fails to restrict redirect destinations during archive downloads, enabling remote attackers to redirect requests to arbitrary internal or external servers. |
Affected by 97 other vulnerabilities. |
|
VCID-z4z4-3e3q-zbfy
Aliases: CVE-2026-35661 GHSA-j4c9-w69r-cw33 |
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypass DM pairing and modify session state. |
Affected by 150 other vulnerabilities. |
|
VCID-z5ke-btzd-b7cx
Aliases: CVE-2026-35664 GHSA-77w2-crqv-cmv3 |
OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization. |
Affected by 150 other vulnerabilities. |
|
VCID-z9dc-47q8-7kc8
Aliases: CVE-2026-35645 GHSA-h4jx-hjr3-fhgc |
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privileged operations with unintended administrative scope. |
Affected by 150 other vulnerabilities. |
|
VCID-zmfp-x82c-3kcd
Aliases: CVE-2026-41352 GHSA-xj9w-5r6q-x6v4 |
OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation. |
Affected by 97 other vulnerabilities. |
|
VCID-zqds-fryf-tbgv
Aliases: GHSA-58q2-7r52-jq62 |
OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read ## Summary Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read ## Current Maintainer Triage - Normalized severity: medium - Assessment: v2026.3.28 ACP dispatch still reads attachment paths outside the guarded attachment-cache or root checks, and the root-enforcement fix is not yet shipped. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `566fb73d9da2d73c0be0d9b8e5b762e4dcd8e81d` — 2026-03-30T14:04:02+01:00 OpenClaw thanks @north-echo for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-zw9g-abft-skg9
Aliases: CVE-2026-41343 GHSA-qcc3-jqwp-5vh2 |
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability. |
Affected by 97 other vulnerabilities. |
|
VCID-zxc5-3vhg-b3hw
Aliases: CVE-2026-41339 GHSA-2f7j-rp58-mr42 |
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks. |
Affected by 80 other vulnerabilities. |
|
VCID-zzub-kp8h-2kar
Aliases: CVE-2026-41395 GHSA-8689-gm9g-jgr6 |
OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger duplicate voice-call processing with a captured valid signed webhook. |
Affected by 150 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1cbb-8u8n-dqa8 | Duplicate Advisory: OpenClaw: Plivo V2 verified replay identity drifts on query-only variants ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cg6c-q2hx-69h7. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests. |
GHSA-j56c-wpqm-h24x
|
| VCID-k1fs-5s5j-xyh6 | OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests. |
CVE-2026-35618
GHSA-cg6c-q2hx-69h7 |
| VCID-pjra-aaxs-ybek | OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest() unconditionally allows local-direct requests without validating bearer tokens or canvas capabilities. Attackers can send unauthenticated loopback HTTP and WebSocket requests to Canvas routes to bypass authentication and gain unauthorized access. |
CVE-2026-35634
GHSA-6mqc-jqh6-x8fc |
| VCID-sb3c-wxqd-akg3 | OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions. |
CVE-2026-35660
GHSA-wq58-2pvg-5h4f |
| VCID-y493-unyv-33bw | Duplicate Advisory: OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6mqc-jqh6-x8fc. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest() unconditionally allows local-direct requests without validating bearer tokens or canvas capabilities. Attackers can send unauthenticated loopback HTTP and WebSocket requests to Canvas routes to bypass authentication and gain unauthorized access. |
GHSA-9gvx-vj57-vqqx
|