Search for packages
| purl | pkg:npm/openclaw@2026.4.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1pbz-8rnx-dkhe
Aliases: CVE-2026-42432 GHSA-5wj5-87vq-39xm |
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement ## Impact Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement. A previously paired node could reconnect with a broader command set, including exec-capable commands, without forcing the operator/admin re-pairing path. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.5` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-258k-a4dw-tfae
Aliases: GHSA-w6wx-jq6j-6mcj |
OpenClaw: pnpm dlx approvals did not bind local script operands ## Summary Before OpenClaw 2026.4.2, `pnpm dlx` approval planning did not bind local script operands the same way as related `pnpm exec` flows. A local script approved through a `pnpm dlx` path could be replaced before execution without invalidating the approval. ## Impact An operator could approve a benign local script and then execute modified script contents through the still-valid approval plan. This was an approval-integrity bug in the node-host command-planning path. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `176c059b05357df1bc09d4328a2380670859eeff` — bind local scripts in `pnpm dlx` approval plans ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @Kazamayc for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-29a1-7ar7-67e1
Aliases: CVE-2026-43585 GHSA-xmxx-7p24-h892 |
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation ## Summary Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart. ## Impact A bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value. Verified in `v2026.4.15`: - `src/gateway/server.impl.ts` exposes `getResolvedAuth()` backed by the current runtime secret snapshot. - `src/gateway/server-http.ts` calls `getResolvedAuth()` for each HTTP request and WebSocket upgrade before running auth checks. - `src/gateway/server-http.probe.test.ts` verifies `/ready` re-resolves bearer auth after rotation and rejects the old token. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `acd4e0a32f12e1ad85f3130f63b42443ce90f094` via PR #66651 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-2c8p-gbaw-3ye4
Aliases: CVE-2026-44999 GHSA-57r2-h2wj-g887 |
OpenClaw: Isolated cron awareness events were recorded as trusted system events ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Output from webhook-triggered isolated cron agent runs could be queued into the main session awareness stream without `trusted: false`. That made the event render as a trusted `System:` event instead of an untrusted system event. This is a trust-labeling issue that can strengthen prompt-injection impact, but it does not directly bypass gateway auth, tool policy, or sandboxing. Severity is low. ## Fix OpenClaw now preserves untrusted labels for isolated cron awareness events and forwards the trust flag through cron delivery helpers. Fix commit: - `f61896b03cc7031f51106a04566831f4ac2a0bd7` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-2h6a-becf-x7ej
Aliases: CVE-2026-41915 GHSA-cm8v-2vh9-cxf3 |
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) ## Impact GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant). Git plumbing environment variables were not removed before host exec and could redirect Git operations. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.3.30` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-2khh-wv8p-97ff
Aliases: CVE-2026-42435 GHSA-j6c7-3h5x-99g9 |
OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms ## Summary Shell-wrapper detection missed env-argv assignment injection forms. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.22 < 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact Exec preflight handling missed shell-wrapper and argv-level environment assignment forms that could affect execution semantics, including high-risk shell environment controls. ## Technical Details The fix broadens shell-wrapper detection and blocks environment assignments in argv forms. High-risk shell variables such as `SHELLOPTS` and `PS4` are covered by the host environment security policy. ## Fix The issue was fixed in #65717. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `8f8492d172f4c5b4fd7dd9a47855ed620c8770ab` - PR: #65717 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @decsecre583 for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-2mxq-krq5-bycx
Aliases: CVE-2026-43574 GHSA-49cg-279w-m73x |
OpenClaw: Empty approver lists could grant explicit approval authorization ## Summary Empty approver lists could grant explicit approval authorization. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact For helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization, allowing a sender outside the normal channel authorization gate to resolve pending approvals if they knew an approval id. ## Technical Details The fix prevents empty approver lists from granting explicit approval authorization and adds regression coverage for unauthorized senders. ## Fix The issue was fixed in #65714. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `0a105c0900de701d2ee9f1abc96b017afbd0afdd` - PR: #65714 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @anshumanbh for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-356u-h788-pkgt
Aliases: CVE-2026-40045 GHSA-83f3-hh45-vfw9 |
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// ## Summary Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext `ws://` gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint. ## Impact A user who followed a forged discovery result or scanned a crafted setup code could disclose stored gateway credentials to an attacker-controlled endpoint in plaintext. This was a transport-security bug in the Android gateway client. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `a941a4fef9bc43b2973c92d0dcff5b8a426210c5` — require TLS for remote Android gateway endpoints ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @zsxsoft for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-3xmj-n798-x3cw
Aliases: CVE-2026-43527 GHSA-53vx-pmqw-863c |
OpenClaw: Browser SSRF policy default allowed private-network navigation ## Summary Browser SSRF policy default allowed private-network navigation. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was expected, exposing internal services or metadata endpoints through browser-driven requests. ## Technical Details The fix preserves strict SSRF configuration semantics, keeps private-network access disabled unless explicitly opted in, and updates loopback CDP readiness handling for the stricter default. ## Fix The issue was fixed in #66354 and #66386. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `024f4614a1a1831406e763adc40ef226e3d5e9ed` - `1dabfef28db523e7de81edeb3dd689e9171236a2` - `213c36cf51121ef6c05cfccd78037371f968f31a` - `7eecfa411df3d12e6b810e6ca5df47254fc3db3f` - PR: #66354, #66386 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-3zwq-dz2u-pqgv
Aliases: CVE-2026-42427 GHSA-7437-7hg8-frrw |
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class) ## Impact HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class). Missing denylist entries allowed hostile build-tool environment variables to influence host exec commands. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.8` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-4316-7q9a-xuhx
Aliases: CVE-2026-45005 GHSA-q8ff-7ffm-m3r9 |
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload ## Summary OpenClaw webhooks allowed route secrets to be backed by `SecretRef` values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran `openclaw secrets reload`, the previous resolved webhook secret could remain valid until the plugin or gateway restarted. ## Impact An attacker who already had a previously valid webhook route secret could continue authenticating webhook requests after the operator rotated the secret and reloaded secrets. This weakened credential rotation for webhook routes and could allow continued invocation of the configured webhook task flow until restart. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix Webhook route authentication now resolves `SecretRef`-backed route secrets on each request. A rotated secret becomes effective after `openclaw secrets reload` without requiring a gateway or plugin restart, and the old secret is rejected. ## Fix Commit(s) - `36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa` (`fix(webhooks): reload route secrets per request`) ## Severity Severity remains `medium`. The attack requires possession of a previously valid route secret, but the stale credential can continue to authorize webhook actions after rotation. |
Affected by 0 other vulnerabilities. |
|
VCID-4u3z-rs45-gbhe
Aliases: CVE-2026-45003 GHSA-55cf-xx38-4p9p |
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts ## Summary Workspace dotenv files cannot override connector endpoint hosts. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A workspace .env file could set connector endpoint variables for Matrix, Mattermost, IRC, or Synology-related connectors and redirect runtime traffic away from the operator-configured endpoint. ## Fix Workspace .env loading now blocks those endpoint variables, including per-account Matrix homeserver suffixes and generic base-url/API-host style overrides. Trusted global runtime dotenv loading remains separate. ## Fix Commit(s) - 0623079e98abf7202591f1b04a89755eb7ec9272 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @qi-scape for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-4urc-4536-pqhk
Aliases: GHSA-gfmx-pph7-g46x |
OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade ## Impact Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @tdjackey for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-6wth-qthz-yud8
Aliases: CVE-2026-42436 GHSA-c4qm-58hj-j6pj |
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation ## Summary Browser snapshot and screenshot routes could expose internal page content after navigation. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Authenticated browser tool callers could use snapshot, screenshot, or tab routes that did not consistently validate the final browser target after route-driven navigation. In restrictive browser SSRF configurations this could expose content from internal or otherwise disallowed pages. ## Technical Details The fix re-checks browser snapshot, screenshot, and tab route results against the configured browser SSRF policy before returning page content. Regression coverage was added around snapshot/screenshot and tab-route flows. ## Fix The issue was fixed in #66040. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `b75ad800a59009fc47eaa3471410f69046150e59` - PR: #66040 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-6y5w-am4s-6qa5
Aliases: CVE-2026-43530 GHSA-2cq5-mf3v-mx44 |
OpenClaw: busybox and toybox applet execution weakened exec approval binding ## Summary busybox and toybox applet execution weakened exec approval binding. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.23 < 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact Opaque multi-call binaries such as `busybox` and `toybox` could obscure which applet or script-like behavior would actually run, weakening exec approval binding and risk classification. ## Technical Details The fix treats `busybox` and `toybox` as opaque mutable script runners and fails closed rather than binding unsafe applet invocations. ## Fix The issue was fixed in #65713. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `666f48d9b882a8a1415ca53f9567c72499d850c9` - PR: #65713 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @decsecre583 for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-733f-57ds-xugm
Aliases: GHSA-rf75-g96h-j3rm |
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references. ### Original Description OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked. |
Affected by 80 other vulnerabilities. |
|
VCID-73cz-n29z-uqem
Aliases: GHSA-pg8g-f2hf-x82m |
Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qx8j-g322-qj6m. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins. |
Affected by 60 other vulnerabilities. |
|
VCID-75yr-sbce-nkah
Aliases: CVE-2026-41914 GHSA-3fv3-6p2v-gxwj |
OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths ## Impact QQ Bot Extension: Missing SSRF Protection on All Media Fetch Paths. QQ Bot media download paths were not consistently routed through the SSRF guard and allowlist policy. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @adithyan-ak for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-7akj-469t-57hz
Aliases: GHSA-7jm2-g593-4qrc |
OpenClaw: Agent gateway config mutations could change protected operator settings ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings. This is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium. ## Fix OpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching. Fix commit: - `fe30b31a97a917ecc6e92f6c85378b6b20352422` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-7ntr-5dr5-9uf8
Aliases: GHSA-98ch-45wp-ch47 |
OpenClaw: Windows-compatible env override keys could bypass system.run approval binding ## Summary Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time. ## Impact An approved command could run with attacker-chosen environment overrides that were not represented in the approval binding. This created an approval-integrity gap for affected host-exec flows. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d` — align approval binding with execution-time env-key normalization ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination. |
Affected by 80 other vulnerabilities. |
|
VCID-7snr-fn3u-x3b8
Aliases: CVE-2026-43582 GHSA-xq94-r468-qwgj |
OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding ## Summary Browser SSRF hostname validation could be bypassed by DNS rebinding. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Browser navigation policy could validate a hostname/IP resolution that differed from the address Chromium ultimately used, allowing DNS rebinding style SSRF pivots. ## Technical Details The fix tightens strict browser hostname navigation so unallowlisted hostname URLs fail closed under restrictive policy. ## Fix The issue was fixed in #64367. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `121c452d666d4749744dc2089287d0227aae2ed3` - PR: #64367 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-7z2s-k6ty-ekg1
Aliases: CVE-2026-41298 GHSA-5hff-46vh-rxmw |
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill ## Summary Before OpenClaw 2026.4.2, `POST /sessions/:sessionKey/kill` did not enforce write scopes in identity-bearing HTTP modes. A caller limited to read-only operator scopes could still terminate a running subagent session. ## Impact A read-scoped caller could perform a write-class control-plane mutation and interrupt delegated work. This was an authorization bug on the HTTP scope boundary, not a shared-secret compatibility exception. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `54a0878517167c6e49900498cf77420dadb74beb` — enforce session-kill HTTP scopes ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @EaEa0001 for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-96jd-x87b-s3ey
Aliases: CVE-2026-41407 GHSA-jj6q-rrrf-h66h |
OpenClaw: Shared-secret comparison call sites leaked length information through timing ## Summary Before OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences. ## Impact The affected paths exposed a low-severity timing side channel on secret comparison. The issue did not by itself demonstrate auth bypass, but it weakened the intended constant-time handling for shared secrets. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `be10ecef770a4654519869c3641bbb91087c8c7b` — reuse the shared secret comparison helper at affected call sites ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-9hcd-uj62-8yeu
Aliases: CVE-2026-43533 GHSA-66r7-m7xm-v49h |
OpenClaw: QQBot media tags could read arbitrary local files through reply text ## Summary QQBot media tags could read arbitrary local files through reply text. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact QQBot outbound media tags in AI reply text could reference host-local paths outside the intended media storage boundary, allowing local file disclosure through outbound media handling. ## Technical Details The fix enforces the media storage boundary for all outbound QQBot local file paths. ## Fix The issue was fixed in #63271. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `604777e4414cc3b2ff8861f18f4fb04374c702c6` - PR: #63271 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-9kgh-wj9w-ykff
Aliases: CVE-2026-43526 GHSA-2767-2q9v-9326 |
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes ## Summary QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact QQBot reply media URLs could be treated as trusted media sources, allowing SSRF fetches whose returned bytes were then re-uploaded through the channel. ## Technical Details The fix routes QQBot remote media fetches through SSRF-guarded media fetching and explicit URL allowlist policy. ## Fix The issue was fixed in #63495 and #65788. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a` - `ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d` - PR: #63495, #65788 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @threalwinky for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-9xgq-vtg2-jucq
Aliases: CVE-2026-42426 GHSA-67mf-f936-ppxf |
## Impact OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval. The pairing approval method accepted operator.write instead of the narrower pairing scope and admin requirement for exec-capable nodes. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= v2026.04.01` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-a46u-tnbh-fyhs
Aliases: GHSA-f934-5rqf-xx47 |
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths ## Summary The QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set. ## Impact When the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient. Verified in `v2026.4.15`: - `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path. - `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-a4jz-y9s4-zkfg
Aliases: CVE-2026-44991 GHSA-c28g-vh7m-fm7v |
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners ## Impact OpenClaw deployments before `2026.4.21` could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true: - a channel plugin declared `commands.enforceOwnerForCommands: true`; - the channel accepted wildcard inbound senders with `allowFrom: ["*"]`; - no explicit `commands.ownerAllowFrom` was configured. In that state, `src/auto-reply/command-auth.ts` reused the channel inbound wildcard as part of the command-owner decision. A sender who was not the owner could therefore pass the owner-command gate for commands such as `/send`, `/config`, or `/debug` on the affected channel. The issue is limited to the command-owner authorization axis. It does not by itself grant owner-only tool access, host/sandbox access, or gateway administrator scope. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.20` - Patched version: `2026.4.21` The latest public release, `2026.4.21`, contains the fix. ## Patches The fix requires a concrete owner identity or internal operator-admin scope when a plugin enforces owner-only commands. Wildcard channel `allowFrom` no longer implies wildcard command ownership. Fix commits: - `2aa93d44a1b2c7058c371f261fda2b5d4de4a882` on `main` - `995febb7b1e811ff6a1df5b18c22de94103f4c9f` in the `2026.4.21` release line ## Workarounds Upgrade to `openclaw@2026.4.21` or later. Before upgrading, avoid wildcard/open-DM sender policy on owner-enforced channels, or configure `commands.ownerAllowFrom` to the intended owner identities. ## Credits OpenClaw thanks @zsxsoft for reporting. |
Affected by 11 other vulnerabilities. |
|
VCID-arks-g6hw-abbw
Aliases: CVE-2026-43569 GHSA-939r-rj45-g2rj |
OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins ## Summary Workspace provider auth choices could auto-enable untrusted provider plugins. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact Non-interactive onboarding could select a provider auth choice shadowed by an untrusted workspace plugin, auto-enabling that plugin during auth setup. ## Technical Details The fix prefers trusted provider origins for auth choices and excludes untrusted workspace choices unless they are explicitly enabled. ## Fix The issue was fixed in #62368. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `2d97eae53e212ae26f3aebcd6a50ffc6877f770d` - PR: #62368 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent for reporting this issue. |
Affected by 59 other vulnerabilities. |
|
VCID-bgwh-spue-yybk
Aliases: CVE-2026-34511 GHSA-9jpj-g8vv-j5mf |
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter ## Summary Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth `state` value. Because the provider reflected `state` back in the redirect URL, the verifier could be exposed alongside the authorization code. ## Impact Anyone who could capture the redirect URL could learn both the authorization code and the PKCE verifier, defeating PKCE's interception protection for that flow and enabling token redemption. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `a26f4d0f3ef0757db6c6c40277cc06a5de76c52f` — separate OAuth state from the PKCE verifier OpenClaw thanks @BG0ECV for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-bkya-73v8-bber
Aliases: CVE-2026-42423 GHSA-q2gc-xjqw-qp89 |
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts ## Impact strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts. The approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-c25h-khws-2fc3
Aliases: GHSA-f3h5-h452-vp3j |
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence ## Summary Nostr profile mutation routes allowed operator.write config persistence. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin authority. ## Technical Details The fix requires `operator.admin` scope for Nostr profile mutation routes. ## Fix The issue was fixed in #63553. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `6517c700de9bb0ee11b41ab625ef3b63d01b6083` - PR: #63553 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-cbuu-4d6c-rben
Aliases: CVE-2026-42428 GHSA-3vvq-q2qc-7rmp |
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification ## Impact B-M3: ClawHub package downloads are not enforced with integrity verification. ClawHub downloads could install plugin archives without enforcing archive or per-file integrity metadata. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-d8v2-gft5-buee
Aliases: CVE-2026-41354 GHSA-rxmx-g7hr-8mx4 |
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders ## Summary Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates. ## Impact Cross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `ef7c553dd16ee579f1d1a363f5881a99726c1412` — scope Zalo webhook replay dedupe across the missing event dimensions ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @D0ub1e-D for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-dfdk-dhwf-9yaj
Aliases: CVE-2026-43528 GHSA-8372-7vhw-cm6q |
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases ## Summary config.get redaction bypass through sourceConfig and runtimeConfig aliases. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact An authenticated gateway client with config read access could receive unredacted secrets through alias fields that survived redaction, including provider API keys, gateway auth material, and channel credentials. ## Technical Details The fix explicitly overwrites `sourceConfig` and `runtimeConfig` with the same redacted copies used for `resolved` and `config`, including the invalid-snapshot branch. Tests now cover both alias fields. ## Fix The issue was fixed in #66030. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `86734ef93a2f25063371b04f1946eb300548acd4` - PR: #66030 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-dmse-bb22-rkcj
Aliases: GHSA-jf56-mccx-5f3f |
OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel ## Impact Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel. An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @tdjackey for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-dv5s-pvw1-a7fu
Aliases: CVE-2026-45004 GHSA-r39h-4c2p-3jxp |
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution ## Summary OpenClaw's bundled plugin setup resolver could fall back to `process.cwd()` while resolving provider setup metadata. If a user ran an OpenClaw command from an attacker-controlled repository containing `extensions/<plugin>/setup-api.js`, OpenClaw could load and execute that JavaScript during ordinary provider/model status resolution. ## Impact This is arbitrary JavaScript execution in the OpenClaw process under the current user account. A malicious repository could run code when the user executed commands such as provider/model inspection from that directory. The issue does not require gateway network exposure, but it does require user interaction: the user must run OpenClaw from a directory containing the attacker-controlled setup file. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw now resolves bundled setup fallbacks only from the canonical package/repository root and no longer includes `process.cwd()` as a trusted setup-api search root. A regression test verifies that a workspace-local `extensions/<plugin>/setup-api.js` is not loaded through provider setup resolution. ## Fix Commit(s) - `993781e6e6eaf50f033cfc3e3bf4f47059740707` (`fix(plugins): ignore cwd setup-api fallback`) ## Severity Severity remains `high` because successful exploitation allows arbitrary code execution under the user running OpenClaw. The CVSS vector is local/user-interaction scoped rather than network-only because the victim must run OpenClaw from an attacker-controlled directory. |
Affected by 0 other vulnerabilities. |
|
VCID-e25p-j5ed-yqfz
Aliases: GHSA-93rg-2xm5-2p9v |
OpenClaw's Gateway Control UI bootstrap config required Gateway auth ## Summary Gateway Control UI bootstrap config required Gateway auth. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions. ## Fix The bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling. ## Fix Commit(s) - 2321d67263bc710e357644d59f746b08d891051b ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-e4ac-qm17-qbf5
Aliases: GHSA-w9j9-w4cp-6wgr |
## Impact OpenClaw Host-Exec Environment Variable Injection. Host exec could inherit environment variables that influence interpreters, shells, or build tools. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.3.28` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @wsparks-vc for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-fuda-zxu8-gbb4
Aliases: GHSA-525j-hqq2-66r4 |
OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0 ## Summary Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intended local/sandbox source range. ## Technical Details The fix enforces CDP source-range restriction by default and avoids broad `0.0.0.0` exposure unless explicitly configured. ## Fix The issue was fixed in #61404. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `fbf11ebdb7110632f93926d0ac7b48f04cb44d77` - PR: #61404 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-gk95-28x9-17dk
Aliases: GHSA-gfg9-5357-hv4c |
OpenClaw: Webchat audio embedding could read local files without local-root containment ## Impact OpenClaw deployments before `2026.4.15` could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths. If an attacker could influence an agent or tool-produced `ReplyPayload.mediaUrl`, the webchat audio embedding helper could resolve an absolute local path or `file:` URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check. The impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.14` - Patched version: `2026.4.15` The latest public release, `2026.4.21`, also contains the fix. ## Patches The public fix threads the applicable local media roots into the webchat audio embedding path and calls `assertLocalMediaAllowed` before local audio content is read. Current `main` also includes an additional `trustedLocalMedia` gate so untrusted model/tool payloads cannot opt into local audio embedding. Fix commit: - `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` ## Workarounds Upgrade to `openclaw@2026.4.15` or later. The latest public release, `2026.4.21`, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs. ## Credits OpenClaw thanks @zsxsoft for reporting. |
Affected by 24 other vulnerabilities. |
|
VCID-gkyv-ahk7-1ud3
Aliases: GHSA-qrp5-gfw2-gxv4 |
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Bundled MCP and LSP tools could be appended to the agent's effective tool set after the normal tool-policy pipeline had already filtered core tools. If an operator configured a restrictive policy, such as a tool profile, explicit allow/deny list, owner-only tool restriction, sandbox tool policy, or subagent tool policy, a bundled MCP/LSP tool could remain available even though the same policy would have denied it. The issue required a configured bundled MCP or LSP tool source and an operator policy that should have restricted that tool. This was a local agent policy-enforcement bypass, not an unauthenticated remote gateway compromise. Severity is medium. ## Fix OpenClaw now applies a final effective tool policy pass to bundled MCP/LSP tools before merging them into the tool set used by normal runs and compaction. The pass covers profile policy, provider profile policy, global/agent/group policies, owner-only filtering, sandbox tool policy, and subagent tool policy. Fix commit: - `0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-haxd-ps1x-h3ch
Aliases: CVE-2026-42430 GHSA-w8g9-x8gx-crmm |
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable ## Impact Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable. Strict browser SSRF checks could miss Playwright request-time navigation to private targets. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `2026.3.8` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @smaeljaish771 for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-hz33-9efv-c7ef
Aliases: GHSA-72q8-jcmc-97wx |
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Feishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped `dmPolicy` enforcement for card actions, so a sender in a Feishu DM could trigger card-action flows that should have been blocked by a restrictive DM policy. The issue is limited to Feishu card-action handling. Severity is medium. ## Fix OpenClaw now resolves Feishu card-action chat type before dispatch, including API lookup when stored context is unavailable, and avoids falling through to group handling for DMs. Fix commit: - `90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-jshg-1pb2-wbak
Aliases: CVE-2026-44116 GHSA-2hh7-c75g-qj2r |
OpenClaw validates Zalo outbound photo URLs through the SSRF guard ## Summary Zalo outbound photo URLs are validated through the SSRF guard. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact The Zalo plugin could forward an attacker-controlled outbound photo URL to the Zalo Bot API without first applying OpenClaw's SSRF validation policy. ## Fix Zalo sendPhoto now parses and validates outbound photo URLs with the shared SSRF hostname policy before posting to Zalo, and media-reply paths route through the guarded outbound media helpers. ## Fix Commit(s) - a65eb1b864b7630c1242a82de9e5799b80583c3f ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @foodlook for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-k8s8-zjv4-gqdb
Aliases: GHSA-xrq9-jm7v-g9h7 |
OpenClaw: Paired-device pairing actions were not limited to the caller device ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling. This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low. ## Fix Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests. Fix commit: - `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-kcy2-a98b-uyg7
Aliases: GHSA-x3h8-jrgh-p8jx |
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs ## Summary Exec allowlist analysis rejects shell expansion in unquoted heredocs ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact An allowlisted command containing an unquoted heredoc could hide shell expansion in the heredoc body. That could make the approved command text look safer than what the shell would evaluate at runtime. ## Fix The exec command analyzer now tracks heredoc bodies, rejects unquoted heredoc expansion tokens and continuation-splice bypasses, and preserves quoted heredocs and literal safe text. ## Fix Commit(s) - b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-kxmf-d7w1-xfcv
Aliases: CVE-2026-44110 GHSA-2gvc-4f3c-2855 |
OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior. |
Affected by 24 other vulnerabilities. |
|
VCID-ma62-gtan-97au
Aliases: CVE-2026-42431 GHSA-cmfr-9m2r-xwhq |
## Impact OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard. node.invoke(browser.proxy) could mutate persistent browser profiles through a path that bypassed the browser.request guard. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= v2026.04.01` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-mszk-dr24-xugw
Aliases: CVE-2026-43567 GHSA-jf25-7968-h2h5 |
OpenClaw: screen_record outPath bypassed workspace-only filesystem guard ## Summary screen_record outPath bypassed workspace-only filesystem guard. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The node-host screen recording tool could honor an `outPath` outside the workspace guard, allowing an authorized tool call to write outside the intended workspace boundary. ## Technical Details The fix applies the workspace-root guard to node tool `outPath` handling, including screen recording paths. ## Fix The issue was fixed in #63551. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `635bb35b68d8faa5bfa2fda35feadd315122748a` - PR: #63551 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @anshumanbh for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-mv8b-cryt-u3g8
Aliases: CVE-2026-41911 GHSA-5fc7-f62m-8983 |
OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix) ## Impact Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix). Feishu document uploads could read local files outside the workspace-only file policy when processing docx upload blocks. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.3` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @Rosayxy for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-mxu5-yjqs-nuap
Aliases: CVE-2026-43573 GHSA-527m-976r-jf79 |
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement ## Summary Existing-session browser interaction routes bypassed SSRF policy enforcement. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Existing-session browser interaction routes could continue interacting with or navigating targets without applying the same SSRF navigation guard used by guarded browser routes. ## Technical Details The fix guards existing-session navigation and interaction routes with browser navigation policy checks. ## Fix The issue was fixed in #64370. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `daeb74920d5ad986cb600625180037e23221e93a` - PR: #64370 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-nkh4-j2pe-1qhr
Aliases: CVE-2026-44117 GHSA-c4qg-j8jg-42q5 |
OpenClaw: QQBot direct media upload skipped URL SSRF validation ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The QQBot direct-upload media path could forward attacker-controlled image URLs without applying the SSRF validation used by the local download path. This could make configured QQBot media delivery request or relay URLs the operator did not intend to allow. The affected path is limited to QQBot outbound media handling and does not expose arbitrary local files. Severity is low. ## Fix OpenClaw now validates QQBot direct-upload media URLs before `uploadC2CMedia` and `uploadGroupMedia` direct-upload calls. Fix commit: - `49db424c8001f2f419aad85f434894d8d85c1a09` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ns77-4wfj-9ka6
Aliases: CVE-2026-43571 GHSA-82qx-6vj7-p8m2 |
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows ## Summary Channel setup catalog lookups could include untrusted workspace plugin shadows. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Channel setup could resolve a workspace plugin shadow before a bundled channel plugin, causing setup-time plugin loading without the intended trust gate. ## Technical Details The fix routes setup catalog lookups through trusted catalog paths and uses `excludeWorkspace: true` where setup should not include workspace shadows. ## Fix The issue was fixed in the advisory fix branch. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `1fede43b948df40ca8674511d4bd08d39f6c5837` - PR: private advisory fork ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-ntwt-jkgr-sffu
Aliases: CVE-2026-42421 GHSA-5h3f-885m-v22w |
OpenClaw: Existing WS sessions survive shared gateway token rotation ## Impact Existing WS sessions survive shared gateway token rotation. Rotating the shared gateway token did not disconnect existing shared-token WebSocket sessions. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-nv6g-7gs9-pfan
Aliases: GHSA-92jp-89mq-4374 |
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials ## Summary Sandbox noVNC helper route exposed interactive browser session credentials. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.21 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox noVNC helper route could be reached without the intended bridge authentication, exposing an interactive browser session surface. ## Technical Details The fix gates the sandbox noVNC helper route behind bridge authentication. ## Fix The issue was fixed in #63882. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `8dfbf3268bd224b7377d1ecca77a445100746085` - PR: #63882 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-nw4r-wjgs-8qc1
Aliases: CVE-2026-41910 GHSA-vc32-h5mq-453v |
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes ## Impact /allowlist omits owner-only enforcement for cross-channel allowlist writes. An authorized non-owner sender could attempt allowlist writes against a different channel. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=v2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-p7gx-9usz-yyew
Aliases: CVE-2026-42429 GHSA-4f8g-77mw-3rxc |
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` ## Impact Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`. Plugin HTTP routes using gateway auth could receive runtime write scopes even when the upstream trusted-proxy request only declared read. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `2026.1.29` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @smaeljaish771 for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-p7v5-jqhq-nbhz
Aliases: GHSA-846p-hgpv-vphc |
OpenClaw: QQ Bot structured payloads could read arbitrary local files ## Summary Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host. ## Impact Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `2c45b06afdd6f7c621038b5419d8e661cff34a7f` — restrict QQ Bot structured payload local paths ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-p8xd-2um4-9ufr
Aliases: CVE-2026-41908 GHSA-v8qf-fr4g-28p2 |
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The Control UI assistant-media route authenticated trusted-proxy callers but did not enforce the declared operator scopes for identity-bearing HTTP auth paths. A trusted-proxy caller without `operator.read` could access assistant-media files and metadata that were otherwise inside allowed media roots. The route still required successful gateway authentication and media-root checks. Severity is low. ## Fix Assistant-media file and metadata requests now require `operator.read` on identity-bearing HTTP auth paths. Fix commit: - `99ef3a63c58440d53f8e45ad861b846032fcb036` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-pae5-uyu7-k3c1
Aliases: CVE-2026-43580 GHSA-536q-mj95-h29h |
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage ## Summary Browser press/type interaction routes missed complete navigation guard coverage. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF policy enforcement. ## Technical Details The fix applies a three-phase interaction navigation guard to navigation-capable interactions, including pressKey and type submit flows. ## Fix The issue was fixed in #62023 and #63226 and #63889. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe` - `5f5b3d733bdd791cb457f838514179e1288b10b3` - `e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894` - PR: #62023, #63226, #63889 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-pdmd-a4fg-8fcg
Aliases: CVE-2026-43531 GHSA-7wv4-cc7p-jhxc |
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables ## Summary Workspace .env could inject OpenClaw runtime-control variables. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact A malicious workspace `.env` file could set OpenClaw runtime-control variables affecting update sources, gateway URLs, ClawHub resolution, browser executable paths, and related behavior. ## Technical Details The fix blocks OpenClaw runtime-control keys and key families from workspace `.env` loading. ## Fix The issue was fixed in #62660. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `dbfcef319618158fa40b31cdac386ea34c392c0c` - PR: #62660 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab for reporting this issue. |
Affected by 59 other vulnerabilities. |
|
VCID-pj41-sunw-vbcj
Aliases: GHSA-g375-h3v6-4873 |
OpenClaw: Heartbeat owner downgrade missed local async exec completion events ## Summary Heartbeat owner downgrade missed local async exec completion events. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.3.31 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Local background exec completion text could be missed by heartbeat owner-downgrade detection, leaving a run in a more privileged context than intended after untrusted completion content. ## Technical Details The fix expands exec-completion detection to local background exec formats and adds targeted tests. ## Fix The issue was fixed in #64376. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `19a2e9ddb5a8a494abcba812bb11f51075026a27` - PR: #64376 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-psms-gauf-tkbz
Aliases: CVE-2026-42420 GHSA-ccx3-fw7q-rr2r |
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks ## Impact Multiple Code Paths Missing Base64 Pre-Allocation Size Checks. Several base64 decode paths could allocate before enforcing decoded-size limits. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=v2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-q6ne-sw1r-xkd1
Aliases: CVE-2026-41358 GHSA-qm77-8qjp-4vcm |
OpenClaw: Slack thread context could include messages from non-allowlisted senders ## Summary Before OpenClaw 2026.4.2, Slack thread starter and thread-history context fetched through the API was not filtered by the effective sender allowlist. Messages from non-allowlisted senders could still enter the agent context when an allowlisted user replied in the same thread. ## Impact A Slack deployment that relied on sender allowlists could still feed non-allowlisted thread content into the model context through thread history. This was a sender-access-control bypass on Slack thread context, not a direct channel-auth bypass. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `ac5bc4fb37becc64a2ec314864cca1565e921f2d` — filter Slack thread context by the effective allowlist ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. OpenClaw thanks @AntAISecurityLab for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-qedr-a3ay-v3gx
Aliases: CVE-2026-42433 GHSA-7jp6-r74r-995q |
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools ## Summary Matrix profile config persistence was reachable from operator.write message tools. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Gateway `operator.write` message-tool paths could reach Matrix profile persistence that should have required admin-level authority. ## Technical Details The fix gates Matrix profile updates for non-owner message-tool runs and prevents write-scoped callers from mutating persistent profile config. ## Fix The issue was fixed in #62662. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `fe0f686c9228fffcec6de4011da45e69a6e23e54` - PR: #62662 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-qjss-tvgk-3ubk
Aliases: GHSA-ch86-pxr9-j9h9 |
Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption. |
Affected by 80 other vulnerabilities. |
|
VCID-r5bw-c2py-9udf
Aliases: CVE-2026-41383 GHSA-m34q-h93w-vg5x |
OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped ## Summary Before OpenClaw 2026.4.2, the OpenShell mirror backend accepted arbitrary absolute `remoteWorkspaceDir` and `remoteAgentWorkspaceDir` values. In mirror mode, those paths were then used as the target of remote cleanup and overwrite operations. ## Impact If an attacker could influence those OpenShell config values, mirror sync could delete the contents of an unintended remote directory and replace them with uploaded workspace data. This was a destructive remote-path bug in the mirror-sync path. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `b21c9840c2e38f4bb338d031511b479d5f07ca25` — constrain OpenShell mirror sync roots ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @jufeng123768 for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-rr6t-1193-ybgz
Aliases: CVE-2026-44995 GHSA-mj59-h3q9-ghfh |
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Workspace MCP stdio configuration could pass dangerous process-startup environment variables such as `NODE_OPTIONS`, `LD_PRELOAD`, or `BASH_ENV` to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server. The impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical. ## Fix OpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers. Fix commits: - `62fa5071896e95edc7f67d1cebc70a2859e283af` - `85d86ebc4bf3d2226d39d132a484f4f7a299fa1b` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ry1r-br3q-2uaw
Aliases: CVE-2026-44118 GHSA-r6xh-pqhr-v4xh |
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens ## Summary MCP loopback owner context is derived from server-issued bearer tokens. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact The loopback MCP path accepted spoofable owner-context metadata from request headers, which could allow a non-owner loopback client to present itself as owner for owner-gated operations. ## Fix The MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request. The spoofable sender-owner header is no longer emitted or trusted. ## Fix Commit(s) - 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-t2ve-xemk-mqa9
Aliases: CVE-2026-44112 GHSA-wppj-c6mr-83jj |
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root ## Summary OpenShell FS bridge writes stay pinned to the sandbox mount root ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem writes could let a symlink swap redirect a write outside the intended local mount root. ## Fix OpenShell write paths now validate the canonical target against the mount root, reject unsafe symlink parents and symlink leaves for writes, and use root-scoped write helpers before syncing to the remote sandbox. ## Fix Commit(s) - 7be82d4fd1193bcb7e44ee38838f00bf924ffa76 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-t2yy-9ume-t7be
Aliases: CVE-2026-43535 GHSA-jwrq-8g5x-5fhm |
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context ## Summary Collect-mode queue batches could reuse the last sender authorization context. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Collect-mode queued messages from different senders could be drained as one batch using the final sender's authorization context, allowing earlier messages to inherit a more privileged context. ## Technical Details The fix splits collect-mode batches by sender authorization context before dispatch, preserving each message's own trust state. ## Fix The issue was fixed in #66024. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `43d4be902755c970b3d15608679761877718da69` - PR: #66024 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-una1-gxkk-t3bp
Aliases: CVE-2026-41295 GHSA-2qrv-rc5x-2g2h |
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup ## Summary Before OpenClaw 2026.4.2, built-in channel setup and login could resolve an untrusted workspace channel shadow before the plugin was explicitly trusted. A malicious workspace plugin that claimed a bundled channel id could execute during channel setup even while still disabled. ## Impact A cloned workspace could turn channel setup for a built-in channel into unintended in-process code execution from an untrusted workspace plugin. This bypassed the intended workspace-plugin trust boundary during setup and login. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0` — ignore untrusted workspace channel shadows during setup resolution ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @zpbrent for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-v9cd-65tf-p3f8
Aliases: CVE-2026-41398 GHSA-4p4f-fc8q-84m3 |
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch ## Summary Before OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check. ## Impact A loaded attacker-controlled page could inject unauthorized non-owner agent.request runs into the active iOS node session, polluting session state and consuming budget. The demonstrated impact did not include owner-only actions or arbitrary host execution. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.1 - Patched versions: >= 2026.4.2 - Latest published npm version: 2026.4.1 ## Fix Commit(s) 49d08382a90f71dabe2877b3f6729ad85f808d57 — restrict A2UI action dispatch to trusted canvas URLs ## Release Process Note The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live. Thanks [@nexrin](https://github.com/nexrin) for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-vfbb-bpy9-87ey
Aliases: CVE-2026-43570 GHSA-35mw-5vvr-vrxc |
OpenClaw contains a symlink traversal vulnerability OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory. |
Affected by 81 other vulnerabilities. |
|
VCID-vy8v-np82-r3b5
Aliases: CVE-2026-41916 GHSA-68x5-xx89-w9mm |
OpenClaw: resolvedAuth closure becomes stale after config reload ## Impact resolvedAuth closure becomes stale after config reload. After a config reload, newly accepted gateway connections could continue using stale resolved auth state. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-vz7k-r7c4-ebfg
Aliases: GHSA-j4c5-89f5-f3pm |
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Browser profile creation normalized `cdpUrl` values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a private-network or metadata endpoint and later be probed by normal profile status flows. Default trusted-operator browser behavior allows private-network CDP endpoints, so this only affected strict-mode deployments. Severity is low. ## Fix OpenClaw now checks CDP endpoints against the browser SSRF policy during profile creation and reachability operations. Fix commits: - `1fd049e3074cac72f6734a7fe88468c84f5f8bd7` - `e90c89cf8b1459f2aa1f3a665be67392b6c03fdf` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-w2tj-nqa6-cuam
Aliases: GHSA-qmwg-qprg-3j38 |
OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads ## Summary Browser interaction routes could pivot into local CDP and regain file reads. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact Browser act/evaluate interactions could trigger navigation into the local CDP origin and then create or read disallowed `file://` pages despite direct navigation guards. ## Technical Details The fix re-checks browser URLs after interaction-driven navigations and blocks targets that violate the configured navigation policy. ## Fix The issue was fixed in #63226. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `5f5b3d733bdd791cb457f838514179e1288b10b3` - PR: #63226 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue. |
Affected by 59 other vulnerabilities. |
|
VCID-w4p1-sxdg-hyha
Aliases: CVE-2026-42424 GHSA-qqq7-4hxc-x63c |
OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration ## Impact Shared reply MEDIA: paths are treated as trusted and can trigger cross-channel local file exfiltration. A crafted shared reply MEDIA reference could cause another channel to read a local file path as trusted generated media. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.4` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @threalwinky for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-w58d-6veg-uugy
Aliases: CVE-2026-41339 GHSA-2f7j-rp58-mr42 |
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients ## Summary Before OpenClaw 2026.4.2, the Gateway `connect` success snapshot exposed local `configPath` and `stateDir` metadata to non-admin clients. Low-privilege authenticated clients could learn host filesystem layout and deployment details that were not needed for their role. ## Impact A non-admin client could recover host-specific filesystem paths and related deployment metadata, aiding host fingerprinting and chained attacks. This was an information-disclosure issue, not a direct authorization bypass. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `676b748056b5efca6f1255708e9dd9469edf5e2e` — limit connect snapshot metadata to admin-scoped clients ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @topsec-bunney for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-wmr3-83u3-6qdb
Aliases: CVE-2026-40037 GHSA-qx8j-g322-qj6m |
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects ## Impact `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects. A guarded fetch could resend unsafe request bodies or headers when following cross-origin redirects. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<2026.3.31` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @BG0ECV for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-wyce-qxau-mqff
Aliases: CVE-2026-43576 GHSA-f7fh-qg34-x2xh |
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets ## Summary CDP /json/version WebSocket URL could pivot to untrusted second-hop targets. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.5` - Patched versions: `>= 2026.4.5` ## Impact A browser profile could trust a CDP `/json/version` response whose `webSocketDebuggerUrl` pointed at a different host, enabling a second-hop SSRF-style pivot. ## Technical Details The fix normalizes and re-validates direct CDP WebSocket targets before connecting. ## Fix The issue was fixed in #60469. The first stable tag containing the fix is `v2026.4.5`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `bc356cc8c2beaa747c71dd86cceab8f804699665` - PR: #60469 ## Release Process Note Users should upgrade to `openclaw` 2026.4.5 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue. |
Affected by 81 other vulnerabilities. |
|
VCID-x2ru-ydpv-f3ah
Aliases: CVE-2026-43529 GHSA-gj9q-8w99-mp8j |
OpenClaw: TOCTOU read in exec script preflight ## Summary OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The impact is limited. This was not arbitrary full-file disclosure through the preflight error path. The validator only surfaced derived preflight content, such as a matched token, a line number, or the first non-empty JavaScript line in one branch. Exploitation also required the ability to mutate the relevant workspace path during the preflight window. Still, this was a real TOCTOU boundary bug in code that is supposed to reason about workspace-local script files before execution. A file identity that passed the initial boundary validation could differ from the identity that was later read for preflight analysis. ## Technical Details The vulnerable flow performed separate path validation and file reads in `validateScriptFileForShellBleed`. Because the read was path-based, an attacker with write access to the workspace path could race replacement of the target after validation but before preflight read. ## Fix PR #62333 replaced the check-then-read flow with a pinned safe-open/read path using the shared `readFileWithinRoot` helper. The fixed path performs boundary verification around the opened file identity and avoids relying on a mutable pathname for the final preflight read. Regression tests cover both pre-open and post-open swap windows. ## Fix Commit(s) - `b024fae9e5df43e9b69b2daebb72be3469d52e91` (`fix(exec): replace TOCTOU check-then-read with atomic pinned-fd open in script preflight [AI]`) - PR: #62333 ## Release Process Note The fix first shipped in `v2026.4.10`. Users should upgrade to `openclaw` `2026.4.10` or newer; the latest npm release already includes the fix. ## Credits Thanks to @kikayli for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-xfgw-ua7r-abbr
Aliases: CVE-2026-41372 GHSA-fh32-73r9-rgh5 |
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections ## Summary Before OpenClaw 2026.4.2, remote CDP discovery could return a trailing-dot localhost host such as `localhost.` and bypass OpenClaw's loopback-host normalization. That let a non-loopback remote CDP profile pivot the follow-up connection back onto localhost. ## Impact A hostile discovery response could retarget authenticated browser control toward a localhost-resolving endpoint on the OpenClaw host. This weakened the existing remote-CDP loopback protection and could expose localhost-backed browser state. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `9c22d636697336a6b22b0ae24798d8b8325d7828` — normalize localhost absolute-form CDP hosts before loopback checks ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @smaeljaish771 for reporting. |
Affected by 80 other vulnerabilities. |
|
VCID-xj73-kszs-yygp
Aliases: CVE-2026-44997 GHSA-q3jj-46pq-826r |
OpenClaw's ACP child sessions inherit subagent security envelope constraints ## Summary ACP child sessions inherit subagent security envelope constraints. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A restricted subagent spawning an ACP child session could fail to carry forward subagent-only constraints such as depth, child-count limits, control scope, or target-agent restrictions. ## Fix ACP spawn now resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies the inherited control scope to child ACP sessions. ## Fix Commit(s) - 31160dc069b7cc5d833b39c53736a41ad3befda2 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft, @qclawer, and @KeenSecurityLab for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-xnvm-rp36-vyaj
Aliases: CVE-2026-41913 GHSA-25wv-8phj-8p7r |
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths ## Impact Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths. Concurrent asynchronous shared-secret auth attempts could race the per-key rate-limit budget. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.2` - Patched versions: `2026.4.4` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @Telecaster2147 for reporting. |
Affected by 0 other vulnerabilities. Affected by 81 other vulnerabilities. |
|
VCID-xsct-xjs7-nbab
Aliases: CVE-2026-44109 GHSA-xh72-v6v9-mwhc |
OpenClaw: Feishu webhook and card-action validation now fail closed ## Summary Feishu webhook mode accepted missing `encryptKey` configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. ## Impact A deployment using Feishu webhook mode without a configured `encryptKey`, or handling malformed card-action callbacks with blank callback tokens, could fail open instead of rejecting the request. Severity remains critical because affected webhook deployments expose a network-triggered path into OpenClaw command handling without the expected Feishu signature or replay protection. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` makes Feishu webhook and card-action validation fail closed. Webhook mode now refuses to start without an `encryptKey`, missing signing configuration returns invalid instead of valid, invalid signatures return `401`, and blank card-action callback tokens are rejected before dispatch. Verified in `v2026.4.15`: - `extensions/feishu/src/monitor.transport.ts` returns invalid when `encryptKey` is missing, refuses webhook mode without `encryptKey`, and rejects invalid signatures before JSON handling. - `extensions/feishu/src/card-action.ts` rejects blank callback tokens in the card-action lifecycle guard. - `extensions/feishu/src/monitor.webhook-security.test.ts` covers missing-`encryptKey` startup and transport rejection. - `extensions/feishu/src/monitor.card-action.lifecycle.test.ts` covers malformed blank-token card actions being dropped before handler dispatch. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `c8003f1b33ed2924be5f62131bd28742c5a41aae` via PR #66707 Thanks to @dhyabi2 for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-y65g-4baa-a7c2
Aliases: CVE-2026-45002 GHSA-2xcp-x87w-q377 |
OpenClaw: Hook mapping templates could bypass hook session-key opt-in ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Templated hook mapping `sessionKey` values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when `hooks.allowRequestSessionKey` was disabled, bypassing the intended routing opt-in for hook callers. This affects webhook routing isolation. It does not grant host execution by itself. Severity is medium. ## Fix Template-rendered mapping session keys are now treated as externally supplied routing input and require `hooks.allowRequestSessionKey=true` plus the existing prefix policy checks. Fix commit: - `5275d008ed33203dba3f98e969ad683a65c416c3` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-y7sd-j9xn-qffs
Aliases: CVE-2026-34425 GHSA-fvx6-pj3r-5q4q |
OpenClaw's complex interpreter pipelines could skip exec script preflight validation ## Summary Before OpenClaw 2026.4.2, exec script preflight validation could fail open on complex interpreter invocations such as pipes or other non-simple command forms. In those cases, script-content validation could be skipped entirely. ## Impact An attacker-controlled command shape could bypass the intended preflight validation for script execution. This weakened a defense-in-depth guard that was meant to block unsafe script content before execution. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513` — close the fail-open bypass in exec script preflight ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination. |
Affected by 80 other vulnerabilities. |
|
VCID-ye4t-n6r3-67ab
Aliases: GHSA-cwj3-vqpp-pmxr |
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes ## Summary The agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations. ## Impact A prompt-injected or otherwise compromised model running with access to the owner-only `gateway` tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven `gateway config.apply` and `gateway config.patch` now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked. ## Fix Commit(s) - `bceda6089aa7b3695cc7696b43c61ae3d01bb0ec` (`fix(gateway): fail closed on runtime config edits`) ## Severity Severity remains `high`. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation. |
Affected by 0 other vulnerabilities. |
|
VCID-yhpq-5qy3-y7bn
Aliases: CVE-2026-44114 GHSA-hxvm-xjvf-93f3 |
OpenClaw: Workspace dotenv could override runtime-control environment variables ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Workspace `.env` loading did not reserve the `OPENCLAW_` runtime-control namespace broadly enough. A malicious workspace could set variables such as `OPENCLAW_GIT_DIR` before source-update or installer flows, potentially steering trusted OpenClaw runtime behavior. This requires running OpenClaw from an attacker-controlled workspace. Severity is medium. ## Fix OpenClaw now reserves the workspace `OPENCLAW_` environment namespace and rejects workspace dotenv entries for OpenClaw runtime-control variables. Fix commit: - `018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ymmv-2qmq-6kap
Aliases: CVE-2026-44113 GHSA-5h3g-6xhh-rg6p |
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes ## Summary OpenShell FS bridge reads pin and verify the opened file before returning bytes ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem reads could let a symlink swap cause bytes outside the intended mount root to be read. ## Fix OpenShell reads now open the file with no-follow semantics where available, validate the pinned file descriptor against the canonical mount root, reject unsafe hardlink/symlink cases, and use a strict fallback ancestor walk on platforms without fd-path readback. ## Fix Commit(s) - 95119017c847c737bd113f0bff728c4666d79c45 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-z8mj-pnbe-wqej
Aliases: CVE-2026-41912 GHSA-vr5g-mmx7-h897 |
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation ## Impact Browser SSRF Policy Bypass via Interaction-Triggered Navigation. Browser interactions could trigger navigations that bypassed the normal SSRF navigation checks. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.5` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @ccreater222 and @KeenSecurityLab for reporting. |
Affected by 60 other vulnerabilities. |
|
VCID-zg68-u5b5-vkft
Aliases: CVE-2026-43534 GHSA-7g8c-cfr3-vqqr |
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input ## Summary Agent hook events could enqueue trusted system events from unsanitized external input. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Agent hook dispatch could turn externally supplied hook metadata into trusted system events, allowing untrusted input to enter the agent as higher-trust context. ## Technical Details The fix sanitizes hook names and marks agent hook system events as untrusted before enqueueing them. ## Fix The issue was fixed in #64372. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `e3a845bde5b54f4f1e742d0a51ba9860f9619b29` - PR: #64372 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-zpte-tgt5-wqcm
Aliases: CVE-2026-42439 GHSA-rj2p-j66c-mgqh |
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy ## Summary Browser tabs action select and close routes bypassed SSRF policy. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The browser `/tabs/action` select and close branches could operate on targets without enforcing configured browser SSRF policy, weakening tab-level navigation protections. ## Technical Details The fix enforces browser SSRF policy in the select and close tab-action branches. ## Fix The issue was fixed in #63332. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `48c0347921b7e9438af0312968fc360ca88023f3` - PR: #63332 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-zu4s-jnn3-1kd8
Aliases: CVE-2026-43584 GHSA-vfp4-8x56-j7c5 |
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables ## Summary Exec environment denylist missed high-risk interpreter startup variables. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The exec environment policy missed interpreter startup variables such as `VIMINIT`, `EXINIT`, `LUA_INIT`, and `HOSTALIASES`, allowing operator-supplied environment overrides to influence downstream execution or network behavior. ## Technical Details The fix expands the host environment security policy denylist to cover these and related high-risk environment variables, with regression coverage. ## Fix The issue was fixed in #63277. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `2d126fc62343a7b6895351f96e4e1474bc358140` - PR: #63277 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-zunq-wnnf-k3fw
Aliases: CVE-2026-42422 GHSA-whf9-3hcx-gq54 |
## Impact OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing. Device token rotation could mint or preserve roles/scopes that had not gone through the intended pairing approval. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= v2026.04.01` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting. |
Affected by 60 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||