Search for packages
| purl | pkg:npm/openclaw@2026.4.8 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1f2r-y41u-y7b4
Aliases: CVE-2026-43574 GHSA-49cg-279w-m73x |
OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id. |
Affected by 37 other vulnerabilities. |
|
VCID-1kns-bfm7-wqa7
Aliases: CVE-2026-43530 GHSA-2cq5-mf3v-mx44 |
OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations. |
Affected by 37 other vulnerabilities. |
|
VCID-1qnh-qhcx-63et
Aliases: CVE-2026-44110 GHSA-2gvc-4f3c-2855 |
OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior. |
Affected by 24 other vulnerabilities. |
|
VCID-24x5-nkt2-wbg7
Aliases: CVE-2026-43571 GHSA-82qx-6vj7-p8m2 |
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading. |
Affected by 42 other vulnerabilities. |
|
VCID-27ud-w29j-cbeq
Aliases: GHSA-f3h5-h452-vp3j |
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence ## Summary Nostr profile mutation routes allowed operator.write config persistence. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin authority. ## Technical Details The fix requires `operator.admin` scope for Nostr profile mutation routes. ## Fix The issue was fixed in #63553. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `6517c700de9bb0ee11b41ab625ef3b63d01b6083` - PR: #63553 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-2p3a-gmxy-37gx
Aliases: GHSA-92jp-89mq-4374 |
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials ## Summary Sandbox noVNC helper route exposed interactive browser session credentials. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.21 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox noVNC helper route could be reached without the intended bridge authentication, exposing an interactive browser session surface. ## Technical Details The fix gates the sandbox noVNC helper route behind bridge authentication. ## Fix The issue was fixed in #63882. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `8dfbf3268bd224b7377d1ecca77a445100746085` - PR: #63882 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-4qqv-57ws-4yb3
Aliases: CVE-2026-45002 GHSA-2xcp-x87w-q377 |
OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls. |
Affected by 12 other vulnerabilities. |
|
VCID-5uvn-998w-hfds
Aliases: CVE-2026-43534 GHSA-7g8c-cfr3-vqqr |
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context. |
Affected by 42 other vulnerabilities. |
|
VCID-5zh4-jn4s-akc9
Aliases: GHSA-xrq9-jm7v-g9h7 |
OpenClaw: Paired-device pairing actions were not limited to the caller device ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling. This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low. ## Fix Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests. Fix commit: - `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-65nh-ys6n-77ag
Aliases: CVE-2026-44118 GHSA-r6xh-pqhr-v4xh |
OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata. |
Affected by 3 other vulnerabilities. |
|
VCID-6w88-6bts-sudv
Aliases: CVE-2026-43585 GHSA-xmxx-7p24-h892 |
OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access. |
Affected by 24 other vulnerabilities. |
|
VCID-7z3d-j9p7-kqed
Aliases: GHSA-g375-h3v6-4873 |
OpenClaw: Heartbeat owner downgrade missed local async exec completion events ## Summary Heartbeat owner downgrade missed local async exec completion events. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.3.31 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Local background exec completion text could be missed by heartbeat owner-downgrade detection, leaving a run in a more privileged context than intended after untrusted completion content. ## Technical Details The fix expands exec-completion detection to local background exec formats and adds targeted tests. ## Fix The issue was fixed in #64376. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `19a2e9ddb5a8a494abcba812bb11f51075026a27` - PR: #64376 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-82aq-wxf5-aka8
Aliases: CVE-2026-43527 GHSA-53vx-pmqw-863c |
OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests. |
Affected by 30 other vulnerabilities. |
|
VCID-8h62-5c5b-cbdt
Aliases: GHSA-72q8-jcmc-97wx |
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Feishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped `dmPolicy` enforcement for card actions, so a sender in a Feishu DM could trigger card-action flows that should have been blocked by a restrictive DM policy. The issue is limited to Feishu card-action handling. Severity is medium. ## Fix OpenClaw now resolves Feishu card-action chat type before dispatch, including API lookup when stored context is unavailable, and avoids falling through to group handling for DMs. Fix commit: - `90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-9u9n-s6sc-2bhw
Aliases: CVE-2026-44116 GHSA-2hh7-c75g-qj2r |
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources. |
Affected by 3 other vulnerabilities. |
|
VCID-9zkk-mp8b-kbbg
Aliases: CVE-2026-43582 GHSA-xq94-r468-qwgj |
OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivot to internal resources via unallowlisted hostname URLs. |
Affected by 42 other vulnerabilities. |
|
VCID-a727-qa7y-y3hf
Aliases: CVE-2026-43532 GHSA-c9h3-5p7r-mrjh |
OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local media references into channel action paths expecting normalized media. |
Affected by 42 other vulnerabilities. |
|
VCID-afjz-us2v-k7ak
Aliases: CVE-2026-44112 GHSA-wppj-c6mr-83jj |
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root. |
Affected by 3 other vulnerabilities. |
|
VCID-b158-4js1-77de
Aliases: CVE-2026-44992 GHSA-h2vw-ph2c-jvwf |
OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers. |
Affected by 12 other vulnerabilities. |
|
VCID-c3fa-2u7p-pkgn
Aliases: CVE-2026-44109 GHSA-xh72-v6v9-mwhc |
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands. |
Affected by 24 other vulnerabilities. |
|
VCID-c3hg-hct8-eqbv
Aliases: CVE-2026-42436 GHSA-c4qm-58hj-j6pj |
OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation. |
Affected by 30 other vulnerabilities. |
|
VCID-c8dt-7z8a-qufe
Aliases: CVE-2026-45003 GHSA-55cf-xx38-4p9p |
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files. |
Affected by 3 other vulnerabilities. |
|
VCID-cbdg-vzrj-puc2
Aliases: CVE-2026-44995 GHSA-mj59-h3q9-ghfh |
OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes, enabling code injection when operators start sessions using those servers. |
Affected by 12 other vulnerabilities. |
|
VCID-cf4u-fs5p-3ue3
Aliases: CVE-2026-44117 GHSA-c4qg-j8jg-42q5 |
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests. |
Affected by 12 other vulnerabilities. |
|
VCID-crh9-tw4p-2bgr
Aliases: CVE-2026-43567 GHSA-jf25-7968-h2h5 |
OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system. |
Affected by 42 other vulnerabilities. |
|
VCID-d34s-z46v-gygk
Aliases: CVE-2026-43573 GHSA-527m-976r-jf79 |
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement. |
Affected by 42 other vulnerabilities. |
|
VCID-e327-pu9e-x7gh
Aliases: CVE-2026-44997 GHSA-q3jj-46pq-826r |
OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that bypass subagent-only constraints, potentially escalating privileges or accessing restricted resources. |
Affected by 3 other vulnerabilities. |
|
VCID-e8sz-63dk-tfbs
Aliases: CVE-2026-44991 GHSA-c28g-vh7m-fm7v |
OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands like /send, /config, or /debug on affected channels to bypass owner-only command authorization checks. |
Affected by 11 other vulnerabilities. |
|
VCID-eaeg-e381-nyh5
Aliases: CVE-2026-43533 GHSA-66r7-m7xm-v49h |
OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling. |
Affected by 42 other vulnerabilities. |
|
VCID-eefn-gpc1-mfdx
Aliases: GHSA-cwj3-vqpp-pmxr |
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes ## Summary The agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations. ## Impact A prompt-injected or otherwise compromised model running with access to the owner-only `gateway` tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven `gateway config.apply` and `gateway config.patch` now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked. ## Fix Commit(s) - `bceda6089aa7b3695cc7696b43c61ae3d01bb0ec` (`fix(gateway): fail closed on runtime config edits`) ## Severity Severity remains `high`. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation. |
Affected by 0 other vulnerabilities. |
|
VCID-f22e-sy58-g7fb
Aliases: CVE-2026-43569 GHSA-939r-rj45-g2rj |
OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent. |
Affected by 59 other vulnerabilities. |
|
VCID-f925-x5qa-buav
Aliases: CVE-2026-42439 GHSA-rj2p-j66c-mgqh |
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations. |
Affected by 42 other vulnerabilities. |
|
VCID-f95y-gnx3-wydp
Aliases: CVE-2026-42433 GHSA-7jp6-r74r-995q |
OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner message-tool runs. |
Affected by 42 other vulnerabilities. |
|
VCID-fcfw-yctj-v3cy
Aliases: CVE-2026-42435 GHSA-j6c7-3h5x-99g9 |
OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and PS4, affecting execution semantics and security controls. |
Affected by 37 other vulnerabilities. |
|
VCID-fgkb-fmuq-wffh
Aliases: CVE-2026-45004 GHSA-r39h-4c2p-3jxp |
OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious extensions/<plugin>/setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory. |
Affected by 0 other vulnerabilities. |
|
VCID-h78a-py8h-ekgj
Aliases: CVE-2026-43584 GHSA-vfp4-8x56-j7c5 |
OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity. |
Affected by 42 other vulnerabilities. |
|
VCID-hbkd-8rx2-4qb8
Aliases: GHSA-7jm2-g593-4qrc |
OpenClaw: Agent gateway config mutations could change protected operator settings ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings. This is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium. ## Fix OpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching. Fix commit: - `fe30b31a97a917ecc6e92f6c85378b6b20352422` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-hwyc-kv1j-1yhm
Aliases: CVE-2026-41389 GHSA-mr34-9552-qr95 |
OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access, potentially disclosing sensitive files or exposing credentials. |
Affected by 24 other vulnerabilities. |
|
VCID-jarm-du2f-1uef
Aliases: CVE-2026-43529 GHSA-gj9q-8w99-mp8j |
OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and preflight read, causing the validator to inspect a different file identity than the one that passed the initial boundary check. |
Affected by 42 other vulnerabilities. |
|
VCID-jdbz-6b2q-xyav
Aliases: GHSA-93rg-2xm5-2p9v |
OpenClaw's Gateway Control UI bootstrap config required Gateway auth ## Summary Gateway Control UI bootstrap config required Gateway auth. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions. ## Fix The bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling. ## Fix Commit(s) - 2321d67263bc710e357644d59f746b08d891051b ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-jwnv-j7hq-sbh9
Aliases: GHSA-f934-5rqf-xx47 |
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths ## Summary The QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set. ## Impact When the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient. Verified in `v2026.4.15`: - `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path. - `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-kact-h3hk-d7eg
Aliases: GHSA-525j-hqq2-66r4 |
OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0 ## Summary Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intended local/sandbox source range. ## Technical Details The fix enforces CDP source-range restriction by default and avoids broad `0.0.0.0` exposure unless explicitly configured. ## Fix The issue was fixed in #61404. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `fbf11ebdb7110632f93926d0ac7b48f04cb44d77` - PR: #61404 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-kkqe-kjun-mufe
Aliases: CVE-2026-43526 GHSA-2767-2q9v-9326 |
OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel. |
Affected by 37 other vulnerabilities. |
|
VCID-ns2g-q3vb-akcm
Aliases: CVE-2026-43566 GHSA-g2hm-779g-vm32 |
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded. |
Affected by 30 other vulnerabilities. |
|
VCID-nue7-qr3q-e3h4
Aliases: CVE-2026-42434 GHSA-736r-jwj6-4w23 |
OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries and route execution to remote nodes instead of intended sandbox paths. |
Affected by 42 other vulnerabilities. |
|
VCID-qcd6-fjdp-hyam
Aliases: CVE-2026-43568 GHSA-5gjc-grvm-m88j |
OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate privileges. |
Affected by 42 other vulnerabilities. |
|
VCID-qpq9-cabj-a7hj
Aliases: CVE-2026-41908 GHSA-v8qf-fr4g-28p2 |
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots. |
Affected by 12 other vulnerabilities. |
|
VCID-qqsk-1mk9-pygw
Aliases: CVE-2026-44113 GHSA-5h3g-6xhh-rg6p |
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents. |
Affected by 3 other vulnerabilities. |
|
VCID-r75w-jwbm-dyew
Aliases: CVE-2026-44999 GHSA-57r2-h2wj-g887 |
OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering untrusted events as trusted System events. |
Affected by 12 other vulnerabilities. |
|
VCID-rr2j-c7md-57gj
Aliases: CVE-2026-43535 GHSA-jwrq-8g5x-5fhm |
OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions. |
Affected by 30 other vulnerabilities. |
|
VCID-sbxm-vwhw-9fhd
Aliases: GHSA-x3h8-jrgh-p8jx |
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs ## Summary Exec allowlist analysis rejects shell expansion in unquoted heredocs ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact An allowlisted command containing an unquoted heredoc could hide shell expansion in the heredoc body. That could make the approved command text look safer than what the shell would evaluate at runtime. ## Fix The exec command analyzer now tracks heredoc bodies, rejects unquoted heredoc expansion tokens and continuation-splice bypasses, and preserves quoted heredocs and literal safe text. ## Fix Commit(s) - b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-t7nn-6cy7-2yak
Aliases: GHSA-gfg9-5357-hv4c |
OpenClaw: Webchat audio embedding could read local files without local-root containment ## Impact OpenClaw deployments before `2026.4.15` could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths. If an attacker could influence an agent or tool-produced `ReplyPayload.mediaUrl`, the webchat audio embedding helper could resolve an absolute local path or `file:` URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check. The impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.14` - Patched version: `2026.4.15` The latest public release, `2026.4.21`, also contains the fix. ## Patches The public fix threads the applicable local media roots into the webchat audio embedding path and calls `assertLocalMediaAllowed` before local audio content is read. Current `main` also includes an additional `trustedLocalMedia` gate so untrusted model/tool payloads cannot opt into local audio embedding. Fix commit: - `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` ## Workarounds Upgrade to `openclaw@2026.4.15` or later. The latest public release, `2026.4.21`, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs. ## Credits OpenClaw thanks @zsxsoft for reporting. |
Affected by 24 other vulnerabilities. |
|
VCID-tegh-qc36-ufha
Aliases: GHSA-qrp5-gfw2-gxv4 |
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Bundled MCP and LSP tools could be appended to the agent's effective tool set after the normal tool-policy pipeline had already filtered core tools. If an operator configured a restrictive policy, such as a tool profile, explicit allow/deny list, owner-only tool restriction, sandbox tool policy, or subagent tool policy, a bundled MCP/LSP tool could remain available even though the same policy would have denied it. The issue required a configured bundled MCP or LSP tool source and an operator policy that should have restricted that tool. This was a local agent policy-enforcement bypass, not an unauthenticated remote gateway compromise. Severity is medium. ## Fix OpenClaw now applies a final effective tool policy pass to bundled MCP/LSP tools before merging them into the tool set used by normal runs and compaction. The pass covers profile policy, provider profile policy, global/agent/group policies, owner-only filtering, sandbox tool policy, and subagent tool policy. Fix commit: - `0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-tgnw-vne2-2kc1
Aliases: GHSA-qmwg-qprg-3j38 |
OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads ## Summary Browser interaction routes could pivot into local CDP and regain file reads. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact Browser act/evaluate interactions could trigger navigation into the local CDP origin and then create or read disallowed `file://` pages despite direct navigation guards. ## Technical Details The fix re-checks browser URLs after interaction-driven navigations and blocks targets that violate the configured navigation policy. ## Fix The issue was fixed in #63226. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `5f5b3d733bdd791cb457f838514179e1288b10b3` - PR: #63226 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue. |
Affected by 59 other vulnerabilities. |
|
VCID-v3u2-k16m-9kdp
Aliases: CVE-2026-43528 GHSA-8372-7vhw-cm6q |
OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted. |
Affected by 30 other vulnerabilities. |
|
VCID-v6e8-g5w8-k3ax
Aliases: GHSA-j4c5-89f5-f3pm |
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Browser profile creation normalized `cdpUrl` values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a private-network or metadata endpoint and later be probed by normal profile status flows. Default trusted-operator browser behavior allows private-network CDP endpoints, so this only affected strict-mode deployments. Severity is low. ## Fix OpenClaw now checks CDP endpoints against the browser SSRF policy during profile creation and reachability operations. Fix commits: - `1fd049e3074cac72f6734a7fe88468c84f5f8bd7` - `e90c89cf8b1459f2aa1f3a665be67392b6c03fdf` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-x5a1-bdbv-2fbv
Aliases: CVE-2026-43531 GHSA-7wv4-cc7p-jhxc |
OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior. |
Affected by 59 other vulnerabilities. |
|
VCID-xttb-bfmd-uyfh
Aliases: CVE-2026-43580 GHSA-536q-mj95-h29h |
OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation. |
Affected by 42 other vulnerabilities. |
|
VCID-y5k6-v1cj-cqg6
Aliases: CVE-2026-45005 GHSA-q8ff-7ffm-m3r9 |
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart. |
Affected by 0 other vulnerabilities. |
|
VCID-yqjc-khg8-uyb4
Aliases: CVE-2026-44114 GHSA-hxvm-xjvf-93f3 |
OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows. |
Affected by 12 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-6ce4-zpfh-pybu | OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations. |
CVE-2026-42431
GHSA-cmfr-9m2r-xwhq |
| VCID-84ms-aakm-x3dc | OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment. |
CVE-2026-42428
GHSA-3vvq-q2qc-7rmp |
| VCID-8h7u-pr1w-z7df | OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR and related variables to redirect git operations and compromise repository integrity. |
CVE-2026-41915
GHSA-cm8v-2vh9-cxf3 |
| VCID-925q-556p-q3f6 | OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies. |
CVE-2026-41914
GHSA-3fv3-6p2v-gxwj |
| VCID-9xv8-jtc8-ekcr | OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary. |
CVE-2026-42423
GHSA-q2gc-xjqw-qp89 |
| VCID-a4pw-9uzw-47ge | OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as trusted generated media. |
CVE-2026-42424
GHSA-qqq7-4hxc-x63c |
| VCID-aegc-6ab1-k7hk | OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins. |
CVE-2026-40037
GHSA-qx8j-g322-qj6m |
| VCID-bvyn-2c5r-4bce |
CVE-2026-42427
GHSA-7437-7hg8-frrw |
|
| VCID-c8mh-j256-j3aa | ## Impact OpenClaw Host-Exec Environment Variable Injection. Host exec could inherit environment variables that influence interpreters, shells, or build tools. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.3.28` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @wsparks-vc for reporting. |
GHSA-w9j9-w4cp-6wgr
|
| VCID-cfj6-nuq4-wudw | OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that escalates identity-bearing operator.read requests to runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations. |
CVE-2026-42429
GHSA-4f8g-77mw-3rxc |
| VCID-gd62-paxx-abgy | OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations. |
CVE-2026-41916
GHSA-68x5-xx89-w9mm |
| VCID-hrnb-5t6m-jkaq | OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model. |
CVE-2026-41910
GHSA-vc32-h5mq-453v |
| VCID-kfmd-usy4-afbu | OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF protections. |
CVE-2026-42430
GHSA-w8g9-x8gx-crmm |
| VCID-nkkj-ue4v-3ueh | OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions. |
CVE-2026-42421
GHSA-5h3f-885m-v22w |
| VCID-pyut-62r7-6fgp |
CVE-2026-42420
GHSA-ccx3-fw7q-rr2r |
|
| VCID-qmnc-zfxh-87g4 |
CVE-2026-41912
GHSA-vr5g-mmx7-h897 |
|
| VCID-qqz4-uy33-qya2 | OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and upload_image endpoints to access files beyond the intended workspace-only filesystem policy. |
CVE-2026-41911
GHSA-5fc7-f62m-8983 |
| VCID-qt8t-f9xc-qbgp | Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qx8j-g322-qj6m. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins. |
GHSA-pg8g-f2hf-x82m
|
| VCID-qujt-gddx-ckbm | OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval. |
CVE-2026-42422
GHSA-whf9-3hcx-gq54 |
| VCID-rm55-3hs1-23b4 | OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system. |
CVE-2026-42432
GHSA-5wj5-87vq-39xm |
| VCID-tm7a-1rzn-5yak | OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade ## Impact Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @tdjackey for reporting. |
GHSA-gfmx-pph7-g46x
|
| VCID-xhej-v61s-vkht | OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes. |
CVE-2026-42426
GHSA-67mf-f936-ppxf |
| VCID-y927-u929-17bd | OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel ## Impact Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel. An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @tdjackey for reporting. |
GHSA-jf56-mccx-5f3f
|