Search for packages
| purl | pkg:npm/openclaw@2026.4.15 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2c8p-gbaw-3ye4
Aliases: CVE-2026-44999 GHSA-57r2-h2wj-g887 |
OpenClaw: Isolated cron awareness events were recorded as trusted system events ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Output from webhook-triggered isolated cron agent runs could be queued into the main session awareness stream without `trusted: false`. That made the event render as a trusted `System:` event instead of an untrusted system event. This is a trust-labeling issue that can strengthen prompt-injection impact, but it does not directly bypass gateway auth, tool policy, or sandboxing. Severity is low. ## Fix OpenClaw now preserves untrusted labels for isolated cron awareness events and forwards the trust flag through cron delivery helpers. Fix commit: - `f61896b03cc7031f51106a04566831f4ac2a0bd7` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-4316-7q9a-xuhx
Aliases: CVE-2026-45005 GHSA-q8ff-7ffm-m3r9 |
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload ## Summary OpenClaw webhooks allowed route secrets to be backed by `SecretRef` values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran `openclaw secrets reload`, the previous resolved webhook secret could remain valid until the plugin or gateway restarted. ## Impact An attacker who already had a previously valid webhook route secret could continue authenticating webhook requests after the operator rotated the secret and reloaded secrets. This weakened credential rotation for webhook routes and could allow continued invocation of the configured webhook task flow until restart. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix Webhook route authentication now resolves `SecretRef`-backed route secrets on each request. A rotated secret becomes effective after `openclaw secrets reload` without requiring a gateway or plugin restart, and the old secret is rejected. ## Fix Commit(s) - `36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa` (`fix(webhooks): reload route secrets per request`) ## Severity Severity remains `medium`. The attack requires possession of a previously valid route secret, but the stale credential can continue to authorize webhook actions after rotation. |
Affected by 0 other vulnerabilities. |
|
VCID-4u3z-rs45-gbhe
Aliases: CVE-2026-45003 GHSA-55cf-xx38-4p9p |
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts ## Summary Workspace dotenv files cannot override connector endpoint hosts. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A workspace .env file could set connector endpoint variables for Matrix, Mattermost, IRC, or Synology-related connectors and redirect runtime traffic away from the operator-configured endpoint. ## Fix Workspace .env loading now blocks those endpoint variables, including per-account Matrix homeserver suffixes and generic base-url/API-host style overrides. Trusted global runtime dotenv loading remains separate. ## Fix Commit(s) - 0623079e98abf7202591f1b04a89755eb7ec9272 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @qi-scape for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-7akj-469t-57hz
Aliases: GHSA-7jm2-g593-4qrc |
OpenClaw: Agent gateway config mutations could change protected operator settings ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings. This is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium. ## Fix OpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching. Fix commit: - `fe30b31a97a917ecc6e92f6c85378b6b20352422` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-a4jz-y9s4-zkfg
Aliases: CVE-2026-44991 GHSA-c28g-vh7m-fm7v |
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners ## Impact OpenClaw deployments before `2026.4.21` could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true: - a channel plugin declared `commands.enforceOwnerForCommands: true`; - the channel accepted wildcard inbound senders with `allowFrom: ["*"]`; - no explicit `commands.ownerAllowFrom` was configured. In that state, `src/auto-reply/command-auth.ts` reused the channel inbound wildcard as part of the command-owner decision. A sender who was not the owner could therefore pass the owner-command gate for commands such as `/send`, `/config`, or `/debug` on the affected channel. The issue is limited to the command-owner authorization axis. It does not by itself grant owner-only tool access, host/sandbox access, or gateway administrator scope. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.20` - Patched version: `2026.4.21` The latest public release, `2026.4.21`, contains the fix. ## Patches The fix requires a concrete owner identity or internal operator-admin scope when a plugin enforces owner-only commands. Wildcard channel `allowFrom` no longer implies wildcard command ownership. Fix commits: - `2aa93d44a1b2c7058c371f261fda2b5d4de4a882` on `main` - `995febb7b1e811ff6a1df5b18c22de94103f4c9f` in the `2026.4.21` release line ## Workarounds Upgrade to `openclaw@2026.4.21` or later. Before upgrading, avoid wildcard/open-DM sender policy on owner-enforced channels, or configure `commands.ownerAllowFrom` to the intended owner identities. ## Credits OpenClaw thanks @zsxsoft for reporting. |
Affected by 11 other vulnerabilities. |
|
VCID-dv5s-pvw1-a7fu
Aliases: CVE-2026-45004 GHSA-r39h-4c2p-3jxp |
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution ## Summary OpenClaw's bundled plugin setup resolver could fall back to `process.cwd()` while resolving provider setup metadata. If a user ran an OpenClaw command from an attacker-controlled repository containing `extensions/<plugin>/setup-api.js`, OpenClaw could load and execute that JavaScript during ordinary provider/model status resolution. ## Impact This is arbitrary JavaScript execution in the OpenClaw process under the current user account. A malicious repository could run code when the user executed commands such as provider/model inspection from that directory. The issue does not require gateway network exposure, but it does require user interaction: the user must run OpenClaw from a directory containing the attacker-controlled setup file. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw now resolves bundled setup fallbacks only from the canonical package/repository root and no longer includes `process.cwd()` as a trusted setup-api search root. A regression test verifies that a workspace-local `extensions/<plugin>/setup-api.js` is not loaded through provider setup resolution. ## Fix Commit(s) - `993781e6e6eaf50f033cfc3e3bf4f47059740707` (`fix(plugins): ignore cwd setup-api fallback`) ## Severity Severity remains `high` because successful exploitation allows arbitrary code execution under the user running OpenClaw. The CVSS vector is local/user-interaction scoped rather than network-only because the victim must run OpenClaw from an attacker-controlled directory. |
Affected by 0 other vulnerabilities. |
|
VCID-e25p-j5ed-yqfz
Aliases: GHSA-93rg-2xm5-2p9v |
OpenClaw's Gateway Control UI bootstrap config required Gateway auth ## Summary Gateway Control UI bootstrap config required Gateway auth. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions. ## Fix The bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling. ## Fix Commit(s) - 2321d67263bc710e357644d59f746b08d891051b ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-gkyv-ahk7-1ud3
Aliases: GHSA-qrp5-gfw2-gxv4 |
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Bundled MCP and LSP tools could be appended to the agent's effective tool set after the normal tool-policy pipeline had already filtered core tools. If an operator configured a restrictive policy, such as a tool profile, explicit allow/deny list, owner-only tool restriction, sandbox tool policy, or subagent tool policy, a bundled MCP/LSP tool could remain available even though the same policy would have denied it. The issue required a configured bundled MCP or LSP tool source and an operator policy that should have restricted that tool. This was a local agent policy-enforcement bypass, not an unauthenticated remote gateway compromise. Severity is medium. ## Fix OpenClaw now applies a final effective tool policy pass to bundled MCP/LSP tools before merging them into the tool set used by normal runs and compaction. The pass covers profile policy, provider profile policy, global/agent/group policies, owner-only filtering, sandbox tool policy, and subagent tool policy. Fix commit: - `0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-hz33-9efv-c7ef
Aliases: GHSA-72q8-jcmc-97wx |
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Feishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped `dmPolicy` enforcement for card actions, so a sender in a Feishu DM could trigger card-action flows that should have been blocked by a restrictive DM policy. The issue is limited to Feishu card-action handling. Severity is medium. ## Fix OpenClaw now resolves Feishu card-action chat type before dispatch, including API lookup when stored context is unavailable, and avoids falling through to group handling for DMs. Fix commit: - `90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-jshg-1pb2-wbak
Aliases: CVE-2026-44116 GHSA-2hh7-c75g-qj2r |
OpenClaw validates Zalo outbound photo URLs through the SSRF guard ## Summary Zalo outbound photo URLs are validated through the SSRF guard. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact The Zalo plugin could forward an attacker-controlled outbound photo URL to the Zalo Bot API without first applying OpenClaw's SSRF validation policy. ## Fix Zalo sendPhoto now parses and validates outbound photo URLs with the shared SSRF hostname policy before posting to Zalo, and media-reply paths route through the guarded outbound media helpers. ## Fix Commit(s) - a65eb1b864b7630c1242a82de9e5799b80583c3f ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @foodlook for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-k8s8-zjv4-gqdb
Aliases: GHSA-xrq9-jm7v-g9h7 |
OpenClaw: Paired-device pairing actions were not limited to the caller device ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling. This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low. ## Fix Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests. Fix commit: - `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-kcy2-a98b-uyg7
Aliases: GHSA-x3h8-jrgh-p8jx |
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs ## Summary Exec allowlist analysis rejects shell expansion in unquoted heredocs ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact An allowlisted command containing an unquoted heredoc could hide shell expansion in the heredoc body. That could make the approved command text look safer than what the shell would evaluate at runtime. ## Fix The exec command analyzer now tracks heredoc bodies, rejects unquoted heredoc expansion tokens and continuation-splice bypasses, and preserves quoted heredocs and literal safe text. ## Fix Commit(s) - b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-nkh4-j2pe-1qhr
Aliases: CVE-2026-44117 GHSA-c4qg-j8jg-42q5 |
OpenClaw: QQBot direct media upload skipped URL SSRF validation ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The QQBot direct-upload media path could forward attacker-controlled image URLs without applying the SSRF validation used by the local download path. This could make configured QQBot media delivery request or relay URLs the operator did not intend to allow. The affected path is limited to QQBot outbound media handling and does not expose arbitrary local files. Severity is low. ## Fix OpenClaw now validates QQBot direct-upload media URLs before `uploadC2CMedia` and `uploadGroupMedia` direct-upload calls. Fix commit: - `49db424c8001f2f419aad85f434894d8d85c1a09` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-p8xd-2um4-9ufr
Aliases: CVE-2026-41908 GHSA-v8qf-fr4g-28p2 |
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The Control UI assistant-media route authenticated trusted-proxy callers but did not enforce the declared operator scopes for identity-bearing HTTP auth paths. A trusted-proxy caller without `operator.read` could access assistant-media files and metadata that were otherwise inside allowed media roots. The route still required successful gateway authentication and media-root checks. Severity is low. ## Fix Assistant-media file and metadata requests now require `operator.read` on identity-bearing HTTP auth paths. Fix commit: - `99ef3a63c58440d53f8e45ad861b846032fcb036` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-rr6t-1193-ybgz
Aliases: CVE-2026-44995 GHSA-mj59-h3q9-ghfh |
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Workspace MCP stdio configuration could pass dangerous process-startup environment variables such as `NODE_OPTIONS`, `LD_PRELOAD`, or `BASH_ENV` to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server. The impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical. ## Fix OpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers. Fix commits: - `62fa5071896e95edc7f67d1cebc70a2859e283af` - `85d86ebc4bf3d2226d39d132a484f4f7a299fa1b` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ry1r-br3q-2uaw
Aliases: CVE-2026-44118 GHSA-r6xh-pqhr-v4xh |
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens ## Summary MCP loopback owner context is derived from server-issued bearer tokens. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact The loopback MCP path accepted spoofable owner-context metadata from request headers, which could allow a non-owner loopback client to present itself as owner for owner-gated operations. ## Fix The MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request. The spoofable sender-owner header is no longer emitted or trusted. ## Fix Commit(s) - 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-t2ve-xemk-mqa9
Aliases: CVE-2026-44112 GHSA-wppj-c6mr-83jj |
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root ## Summary OpenShell FS bridge writes stay pinned to the sandbox mount root ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem writes could let a symlink swap redirect a write outside the intended local mount root. ## Fix OpenShell write paths now validate the canonical target against the mount root, reject unsafe symlink parents and symlink leaves for writes, and use root-scoped write helpers before syncing to the remote sandbox. ## Fix Commit(s) - 7be82d4fd1193bcb7e44ee38838f00bf924ffa76 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-vz7k-r7c4-ebfg
Aliases: GHSA-j4c5-89f5-f3pm |
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Browser profile creation normalized `cdpUrl` values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a private-network or metadata endpoint and later be probed by normal profile status flows. Default trusted-operator browser behavior allows private-network CDP endpoints, so this only affected strict-mode deployments. Severity is low. ## Fix OpenClaw now checks CDP endpoints against the browser SSRF policy during profile creation and reachability operations. Fix commits: - `1fd049e3074cac72f6734a7fe88468c84f5f8bd7` - `e90c89cf8b1459f2aa1f3a665be67392b6c03fdf` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-w2yd-uw91-9yck
Aliases: CVE-2026-44992 GHSA-h2vw-ph2c-jvwf |
OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.4.5, < 2026.4.20` - Patched version: `2026.4.20` ## Impact A malicious workspace `.env` could set `MINIMAX_API_HOST` and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the outbound `Authorization` header. This requires running OpenClaw from an attacker-controlled workspace. Severity is medium. ## Fix OpenClaw now blocks `MINIMAX_API_HOST` from workspace dotenv injection and removes env-driven URL routing from the affected MiniMax request path. Fix commit: - `2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-xj73-kszs-yygp
Aliases: CVE-2026-44997 GHSA-q3jj-46pq-826r |
OpenClaw's ACP child sessions inherit subagent security envelope constraints ## Summary ACP child sessions inherit subagent security envelope constraints. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A restricted subagent spawning an ACP child session could fail to carry forward subagent-only constraints such as depth, child-count limits, control scope, or target-agent restrictions. ## Fix ACP spawn now resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies the inherited control scope to child ACP sessions. ## Fix Commit(s) - 31160dc069b7cc5d833b39c53736a41ad3befda2 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft, @qclawer, and @KeenSecurityLab for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-y65g-4baa-a7c2
Aliases: CVE-2026-45002 GHSA-2xcp-x87w-q377 |
OpenClaw: Hook mapping templates could bypass hook session-key opt-in ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Templated hook mapping `sessionKey` values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when `hooks.allowRequestSessionKey` was disabled, bypassing the intended routing opt-in for hook callers. This affects webhook routing isolation. It does not grant host execution by itself. Severity is medium. ## Fix Template-rendered mapping session keys are now treated as externally supplied routing input and require `hooks.allowRequestSessionKey=true` plus the existing prefix policy checks. Fix commit: - `5275d008ed33203dba3f98e969ad683a65c416c3` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ye4t-n6r3-67ab
Aliases: GHSA-cwj3-vqpp-pmxr |
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes ## Summary The agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations. ## Impact A prompt-injected or otherwise compromised model running with access to the owner-only `gateway` tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven `gateway config.apply` and `gateway config.patch` now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked. ## Fix Commit(s) - `bceda6089aa7b3695cc7696b43c61ae3d01bb0ec` (`fix(gateway): fail closed on runtime config edits`) ## Severity Severity remains `high`. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation. |
Affected by 0 other vulnerabilities. |
|
VCID-yhpq-5qy3-y7bn
Aliases: CVE-2026-44114 GHSA-hxvm-xjvf-93f3 |
OpenClaw: Workspace dotenv could override runtime-control environment variables ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Workspace `.env` loading did not reserve the `OPENCLAW_` runtime-control namespace broadly enough. A malicious workspace could set variables such as `OPENCLAW_GIT_DIR` before source-update or installer flows, potentially steering trusted OpenClaw runtime behavior. This requires running OpenClaw from an attacker-controlled workspace. Severity is medium. ## Fix OpenClaw now reserves the workspace `OPENCLAW_` environment namespace and rejects workspace dotenv entries for OpenClaw runtime-control variables. Fix commit: - `018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ymmv-2qmq-6kap
Aliases: CVE-2026-44113 GHSA-5h3g-6xhh-rg6p |
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes ## Summary OpenShell FS bridge reads pin and verify the opened file before returning bytes ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem reads could let a symlink swap cause bytes outside the intended mount root to be read. ## Fix OpenShell reads now open the file with no-follow semantics where available, validate the pinned file descriptor against the canonical mount root, reject unsafe hardlink/symlink cases, and use a strict fallback ancestor walk on platforms without fd-path readback. ## Fix Commit(s) - 95119017c847c737bd113f0bff728c4666d79c45 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-29a1-7ar7-67e1 | OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation ## Summary Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart. ## Impact A bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value. Verified in `v2026.4.15`: - `src/gateway/server.impl.ts` exposes `getResolvedAuth()` backed by the current runtime secret snapshot. - `src/gateway/server-http.ts` calls `getResolvedAuth()` for each HTTP request and WebSocket upgrade before running auth checks. - `src/gateway/server-http.probe.test.ts` verifies `/ready` re-resolves bearer auth after rotation and rejects the old token. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `acd4e0a32f12e1ad85f3130f63b42443ce90f094` via PR #66651 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue. |
CVE-2026-43585
GHSA-xmxx-7p24-h892 |
| VCID-7851-2jv5-3qhq | Duplicate Advisory: OpenClaw: Webchat media embedding enforces local-root containment for tool-result files ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mr34-9552-qr95. This link is maintained to preserve external references. ### Original Description OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access, potentially disclosing sensitive files or exposing credentials. |
GHSA-qc5j-2mqx-x83q
|
| VCID-a46u-tnbh-fyhs | OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths ## Summary The QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set. ## Impact When the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient. Verified in `v2026.4.15`: - `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path. - `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue. |
GHSA-f934-5rqf-xx47
|
| VCID-f4va-2uau-mkdt | Duplicate Advisory: OpenClaw: Feishu webhook and card-action validation now fail closed ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xh72-v6v9-mwhc. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands. |
GHSA-cjg8-85gj-v9q2
|
| VCID-gk95-28x9-17dk | OpenClaw: Webchat audio embedding could read local files without local-root containment ## Impact OpenClaw deployments before `2026.4.15` could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths. If an attacker could influence an agent or tool-produced `ReplyPayload.mediaUrl`, the webchat audio embedding helper could resolve an absolute local path or `file:` URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check. The impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.14` - Patched version: `2026.4.15` The latest public release, `2026.4.21`, also contains the fix. ## Patches The public fix threads the applicable local media roots into the webchat audio embedding path and calls `assertLocalMediaAllowed` before local audio content is read. Current `main` also includes an additional `trustedLocalMedia` gate so untrusted model/tool payloads cannot opt into local audio embedding. Fix commit: - `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` ## Workarounds Upgrade to `openclaw@2026.4.15` or later. The latest public release, `2026.4.21`, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs. ## Credits OpenClaw thanks @zsxsoft for reporting. |
GHSA-gfg9-5357-hv4c
|
| VCID-h9a4-1twb-d7d1 | OpenClaw: Webchat media embedding enforces local-root containment for tool-result files ## Summary Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy. ## Impact A crafted tool-result media reference could cause the host to attempt local file reads or Windows UNC/network path access while preparing webchat media blocks. This could disclose allowed host files or trigger network credential exposure on affected Windows deployments. Severity remains medium because exploitation depends on a tool-result media path reaching the webchat embedding path, but the sink is a host-side file read before the user sees the rendered result. ## Affected versions - Affected: `>= 2026.4.7, < 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` hardens the webchat media path and the shared media resolver. Remote-host `file://` URLs and Windows network paths are rejected before filesystem access, and audio embedding now enforces configured `localRoots` containment before `stat` or read operations. Verified in `v2026.4.15`: - `src/gateway/server-methods/chat-webchat-media.ts` uses safe file-URL parsing, rejects Windows network paths, and calls `assertLocalMediaAllowed` before probing local audio files. - `src/media/web-media.ts` rejects remote-host `file://` URLs, Windows network paths, and local-root bypasses on the shared media path. - `src/gateway/server-methods/chat-webchat-media.test.ts` covers both remote-host `file://` rejection and local-root denial before filesystem access. Fix commits included in `v2026.4.15` and absent from `v2026.4.14`: - `1470de5d3e0970856d86cd99336bb8ada3fe87da` via PR #67293 - `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` via PR #67298 - `52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc` via PR #67303 as defense-in-depth for trusted media passthrough anchoring Thanks to @Kherrisan for reporting this issue. |
CVE-2026-41389
GHSA-mr34-9552-qr95 |
| VCID-kxmf-d7w1-xfcv | OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior. |
CVE-2026-44110
GHSA-2gvc-4f3c-2855 |
| VCID-qk1g-jfae-hubj | Duplicate Advisory: OpenClaw: Matrix room control-command authorization no longer trusts DM pairing-store entries |
GHSA-79rr-5c85-xvw3
|
| VCID-xsct-xjs7-nbab | OpenClaw: Feishu webhook and card-action validation now fail closed ## Summary Feishu webhook mode accepted missing `encryptKey` configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. ## Impact A deployment using Feishu webhook mode without a configured `encryptKey`, or handling malformed card-action callbacks with blank callback tokens, could fail open instead of rejecting the request. Severity remains critical because affected webhook deployments expose a network-triggered path into OpenClaw command handling without the expected Feishu signature or replay protection. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` makes Feishu webhook and card-action validation fail closed. Webhook mode now refuses to start without an `encryptKey`, missing signing configuration returns invalid instead of valid, invalid signatures return `401`, and blank card-action callback tokens are rejected before dispatch. Verified in `v2026.4.15`: - `extensions/feishu/src/monitor.transport.ts` returns invalid when `encryptKey` is missing, refuses webhook mode without `encryptKey`, and rejects invalid signatures before JSON handling. - `extensions/feishu/src/card-action.ts` rejects blank callback tokens in the card-action lifecycle guard. - `extensions/feishu/src/monitor.webhook-security.test.ts` covers missing-`encryptKey` startup and transport rejection. - `extensions/feishu/src/monitor.card-action.lifecycle.test.ts` covers malformed blank-token card actions being dropped before handler dispatch. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `c8003f1b33ed2924be5f62131bd28742c5a41aae` via PR #66707 Thanks to @dhyabi2 for reporting this issue. |
CVE-2026-44109
GHSA-xh72-v6v9-mwhc |
| VCID-yjzg-gwsn-f7bs | Duplicate Advisory: OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xmxx-7p24-h892. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access. |
GHSA-m8wm-r5vq-qjpg
|