Search for packages
| purl | pkg:npm/openclaw@2026.4.9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-29a1-7ar7-67e1
Aliases: CVE-2026-43585 GHSA-xmxx-7p24-h892 |
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation ## Summary Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart. ## Impact A bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value. Verified in `v2026.4.15`: - `src/gateway/server.impl.ts` exposes `getResolvedAuth()` backed by the current runtime secret snapshot. - `src/gateway/server-http.ts` calls `getResolvedAuth()` for each HTTP request and WebSocket upgrade before running auth checks. - `src/gateway/server-http.probe.test.ts` verifies `/ready` re-resolves bearer auth after rotation and rejects the old token. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `acd4e0a32f12e1ad85f3130f63b42443ce90f094` via PR #66651 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-2c8p-gbaw-3ye4
Aliases: CVE-2026-44999 GHSA-57r2-h2wj-g887 |
OpenClaw: Isolated cron awareness events were recorded as trusted system events ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Output from webhook-triggered isolated cron agent runs could be queued into the main session awareness stream without `trusted: false`. That made the event render as a trusted `System:` event instead of an untrusted system event. This is a trust-labeling issue that can strengthen prompt-injection impact, but it does not directly bypass gateway auth, tool policy, or sandboxing. Severity is low. ## Fix OpenClaw now preserves untrusted labels for isolated cron awareness events and forwards the trust flag through cron delivery helpers. Fix commit: - `f61896b03cc7031f51106a04566831f4ac2a0bd7` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-2g7x-vu14-nkde
Aliases: CVE-2026-42434 GHSA-736r-jwj6-4w23 |
OpenClaw: Sandboxed agents could escape exec routing via host=node override ## Summary Sandboxed agents could escape exec routing via host=node override. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.5 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact A sandboxed agent could request `host: "node"` and route exec to a remote node instead of the intended sandbox execution path, bypassing the sandbox routing boundary. ## Technical Details The fix blocks sandboxed exec escape to remote node targets and keeps routing aligned with the active sandbox policy. ## Fix The issue was fixed in #63880. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `dffad08529202edbf34e4808788e1182fe10f6a9` - PR: #63880 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-2khh-wv8p-97ff
Aliases: CVE-2026-42435 GHSA-j6c7-3h5x-99g9 |
OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms ## Summary Shell-wrapper detection missed env-argv assignment injection forms. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.22 < 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact Exec preflight handling missed shell-wrapper and argv-level environment assignment forms that could affect execution semantics, including high-risk shell environment controls. ## Technical Details The fix broadens shell-wrapper detection and blocks environment assignments in argv forms. High-risk shell variables such as `SHELLOPTS` and `PS4` are covered by the host environment security policy. ## Fix The issue was fixed in #65717. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `8f8492d172f4c5b4fd7dd9a47855ed620c8770ab` - PR: #65717 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @decsecre583 for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-2mxq-krq5-bycx
Aliases: CVE-2026-43574 GHSA-49cg-279w-m73x |
OpenClaw: Empty approver lists could grant explicit approval authorization ## Summary Empty approver lists could grant explicit approval authorization. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact For helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization, allowing a sender outside the normal channel authorization gate to resolve pending approvals if they knew an approval id. ## Technical Details The fix prevents empty approver lists from granting explicit approval authorization and adds regression coverage for unauthorized senders. ## Fix The issue was fixed in #65714. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `0a105c0900de701d2ee9f1abc96b017afbd0afdd` - PR: #65714 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @anshumanbh for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-3xmj-n798-x3cw
Aliases: CVE-2026-43527 GHSA-53vx-pmqw-863c |
OpenClaw: Browser SSRF policy default allowed private-network navigation ## Summary Browser SSRF policy default allowed private-network navigation. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was expected, exposing internal services or metadata endpoints through browser-driven requests. ## Technical Details The fix preserves strict SSRF configuration semantics, keeps private-network access disabled unless explicitly opted in, and updates loopback CDP readiness handling for the stricter default. ## Fix The issue was fixed in #66354 and #66386. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `024f4614a1a1831406e763adc40ef226e3d5e9ed` - `1dabfef28db523e7de81edeb3dd689e9171236a2` - `213c36cf51121ef6c05cfccd78037371f968f31a` - `7eecfa411df3d12e6b810e6ca5df47254fc3db3f` - PR: #66354, #66386 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-4316-7q9a-xuhx
Aliases: CVE-2026-45005 GHSA-q8ff-7ffm-m3r9 |
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload ## Summary OpenClaw webhooks allowed route secrets to be backed by `SecretRef` values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran `openclaw secrets reload`, the previous resolved webhook secret could remain valid until the plugin or gateway restarted. ## Impact An attacker who already had a previously valid webhook route secret could continue authenticating webhook requests after the operator rotated the secret and reloaded secrets. This weakened credential rotation for webhook routes and could allow continued invocation of the configured webhook task flow until restart. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix Webhook route authentication now resolves `SecretRef`-backed route secrets on each request. A rotated secret becomes effective after `openclaw secrets reload` without requiring a gateway or plugin restart, and the old secret is rejected. ## Fix Commit(s) - `36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa` (`fix(webhooks): reload route secrets per request`) ## Severity Severity remains `medium`. The attack requires possession of a previously valid route secret, but the stale credential can continue to authorize webhook actions after rotation. |
Affected by 0 other vulnerabilities. |
|
VCID-4u3z-rs45-gbhe
Aliases: CVE-2026-45003 GHSA-55cf-xx38-4p9p |
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts ## Summary Workspace dotenv files cannot override connector endpoint hosts. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A workspace .env file could set connector endpoint variables for Matrix, Mattermost, IRC, or Synology-related connectors and redirect runtime traffic away from the operator-configured endpoint. ## Fix Workspace .env loading now blocks those endpoint variables, including per-account Matrix homeserver suffixes and generic base-url/API-host style overrides. Trusted global runtime dotenv loading remains separate. ## Fix Commit(s) - 0623079e98abf7202591f1b04a89755eb7ec9272 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @qi-scape for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-6wth-qthz-yud8
Aliases: CVE-2026-42436 GHSA-c4qm-58hj-j6pj |
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation ## Summary Browser snapshot and screenshot routes could expose internal page content after navigation. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Authenticated browser tool callers could use snapshot, screenshot, or tab routes that did not consistently validate the final browser target after route-driven navigation. In restrictive browser SSRF configurations this could expose content from internal or otherwise disallowed pages. ## Technical Details The fix re-checks browser snapshot, screenshot, and tab route results against the configured browser SSRF policy before returning page content. Regression coverage was added around snapshot/screenshot and tab-route flows. ## Fix The issue was fixed in #66040. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `b75ad800a59009fc47eaa3471410f69046150e59` - PR: #66040 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-6y5w-am4s-6qa5
Aliases: CVE-2026-43530 GHSA-2cq5-mf3v-mx44 |
OpenClaw: busybox and toybox applet execution weakened exec approval binding ## Summary busybox and toybox applet execution weakened exec approval binding. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.23 < 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact Opaque multi-call binaries such as `busybox` and `toybox` could obscure which applet or script-like behavior would actually run, weakening exec approval binding and risk classification. ## Technical Details The fix treats `busybox` and `toybox` as opaque mutable script runners and fails closed rather than binding unsafe applet invocations. ## Fix The issue was fixed in #65713. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `666f48d9b882a8a1415ca53f9567c72499d850c9` - PR: #65713 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @decsecre583 for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-7akj-469t-57hz
Aliases: GHSA-7jm2-g593-4qrc |
OpenClaw: Agent gateway config mutations could change protected operator settings ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings. This is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium. ## Fix OpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching. Fix commit: - `fe30b31a97a917ecc6e92f6c85378b6b20352422` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-7snr-fn3u-x3b8
Aliases: CVE-2026-43582 GHSA-xq94-r468-qwgj |
OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding ## Summary Browser SSRF hostname validation could be bypassed by DNS rebinding. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Browser navigation policy could validate a hostname/IP resolution that differed from the address Chromium ultimately used, allowing DNS rebinding style SSRF pivots. ## Technical Details The fix tightens strict browser hostname navigation so unallowlisted hostname URLs fail closed under restrictive policy. ## Fix The issue was fixed in #64367. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `121c452d666d4749744dc2089287d0227aae2ed3` - PR: #64367 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-9hcd-uj62-8yeu
Aliases: CVE-2026-43533 GHSA-66r7-m7xm-v49h |
OpenClaw: QQBot media tags could read arbitrary local files through reply text ## Summary QQBot media tags could read arbitrary local files through reply text. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact QQBot outbound media tags in AI reply text could reference host-local paths outside the intended media storage boundary, allowing local file disclosure through outbound media handling. ## Technical Details The fix enforces the media storage boundary for all outbound QQBot local file paths. ## Fix The issue was fixed in #63271. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `604777e4414cc3b2ff8861f18f4fb04374c702c6` - PR: #63271 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-9kgh-wj9w-ykff
Aliases: CVE-2026-43526 GHSA-2767-2q9v-9326 |
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes ## Summary QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.12` - Patched versions: `>= 2026.4.12` ## Impact QQBot reply media URLs could be treated as trusted media sources, allowing SSRF fetches whose returned bytes were then re-uploaded through the channel. ## Technical Details The fix routes QQBot remote media fetches through SSRF-guarded media fetching and explicit URL allowlist policy. ## Fix The issue was fixed in #63495 and #65788. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a` - `ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d` - PR: #63495, #65788 ## Release Process Note Users should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @threalwinky for reporting this issue. |
Affected by 37 other vulnerabilities. |
|
VCID-a46u-tnbh-fyhs
Aliases: GHSA-f934-5rqf-xx47 |
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths ## Summary The QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set. ## Impact When the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient. Verified in `v2026.4.15`: - `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path. - `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-a4jz-y9s4-zkfg
Aliases: CVE-2026-44991 GHSA-c28g-vh7m-fm7v |
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners ## Impact OpenClaw deployments before `2026.4.21` could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true: - a channel plugin declared `commands.enforceOwnerForCommands: true`; - the channel accepted wildcard inbound senders with `allowFrom: ["*"]`; - no explicit `commands.ownerAllowFrom` was configured. In that state, `src/auto-reply/command-auth.ts` reused the channel inbound wildcard as part of the command-owner decision. A sender who was not the owner could therefore pass the owner-command gate for commands such as `/send`, `/config`, or `/debug` on the affected channel. The issue is limited to the command-owner authorization axis. It does not by itself grant owner-only tool access, host/sandbox access, or gateway administrator scope. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.20` - Patched version: `2026.4.21` The latest public release, `2026.4.21`, contains the fix. ## Patches The fix requires a concrete owner identity or internal operator-admin scope when a plugin enforces owner-only commands. Wildcard channel `allowFrom` no longer implies wildcard command ownership. Fix commits: - `2aa93d44a1b2c7058c371f261fda2b5d4de4a882` on `main` - `995febb7b1e811ff6a1df5b18c22de94103f4c9f` in the `2026.4.21` release line ## Workarounds Upgrade to `openclaw@2026.4.21` or later. Before upgrading, avoid wildcard/open-DM sender policy on owner-enforced channels, or configure `commands.ownerAllowFrom` to the intended owner identities. ## Credits OpenClaw thanks @zsxsoft for reporting. |
Affected by 11 other vulnerabilities. |
|
VCID-c25h-khws-2fc3
Aliases: GHSA-f3h5-h452-vp3j |
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence ## Summary Nostr profile mutation routes allowed operator.write config persistence. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin authority. ## Technical Details The fix requires `operator.admin` scope for Nostr profile mutation routes. ## Fix The issue was fixed in #63553. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `6517c700de9bb0ee11b41ab625ef3b63d01b6083` - PR: #63553 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-dfdk-dhwf-9yaj
Aliases: CVE-2026-43528 GHSA-8372-7vhw-cm6q |
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases ## Summary config.get redaction bypass through sourceConfig and runtimeConfig aliases. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact An authenticated gateway client with config read access could receive unredacted secrets through alias fields that survived redaction, including provider API keys, gateway auth material, and channel credentials. ## Technical Details The fix explicitly overwrites `sourceConfig` and `runtimeConfig` with the same redacted copies used for `resolved` and `config`, including the invalid-snapshot branch. Tests now cover both alias fields. ## Fix The issue was fixed in #66030. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `86734ef93a2f25063371b04f1946eb300548acd4` - PR: #66030 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-dqb2-dej7-augt
Aliases: CVE-2026-43568 GHSA-5gjc-grvm-m88j |
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands ## Summary Memory dreaming config persistence was reachable from operator.write commands. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.5 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact A write-scoped gateway path could toggle persistent memory dreaming settings through `/dreaming`, crossing into an admin-class configuration mutation. ## Technical Details The fix requires admin scope for persistent dreaming gateway toggles. ## Fix The issue was fixed in #63872. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `6af17b39e11f5f35e23b7e5a5f71a7d0aa3c7310` - PR: #63872 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-dv5s-pvw1-a7fu
Aliases: CVE-2026-45004 GHSA-r39h-4c2p-3jxp |
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution ## Summary OpenClaw's bundled plugin setup resolver could fall back to `process.cwd()` while resolving provider setup metadata. If a user ran an OpenClaw command from an attacker-controlled repository containing `extensions/<plugin>/setup-api.js`, OpenClaw could load and execute that JavaScript during ordinary provider/model status resolution. ## Impact This is arbitrary JavaScript execution in the OpenClaw process under the current user account. A malicious repository could run code when the user executed commands such as provider/model inspection from that directory. The issue does not require gateway network exposure, but it does require user interaction: the user must run OpenClaw from a directory containing the attacker-controlled setup file. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw now resolves bundled setup fallbacks only from the canonical package/repository root and no longer includes `process.cwd()` as a trusted setup-api search root. A regression test verifies that a workspace-local `extensions/<plugin>/setup-api.js` is not loaded through provider setup resolution. ## Fix Commit(s) - `993781e6e6eaf50f033cfc3e3bf4f47059740707` (`fix(plugins): ignore cwd setup-api fallback`) ## Severity Severity remains `high` because successful exploitation allows arbitrary code execution under the user running OpenClaw. The CVSS vector is local/user-interaction scoped rather than network-only because the victim must run OpenClaw from an attacker-controlled directory. |
Affected by 0 other vulnerabilities. |
|
VCID-e25p-j5ed-yqfz
Aliases: GHSA-93rg-2xm5-2p9v |
OpenClaw's Gateway Control UI bootstrap config required Gateway auth ## Summary Gateway Control UI bootstrap config required Gateway auth. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions. ## Fix The bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling. ## Fix Commit(s) - 2321d67263bc710e357644d59f746b08d891051b ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-fuda-zxu8-gbb4
Aliases: GHSA-525j-hqq2-66r4 |
OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0 ## Summary Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intended local/sandbox source range. ## Technical Details The fix enforces CDP source-range restriction by default and avoids broad `0.0.0.0` exposure unless explicitly configured. ## Fix The issue was fixed in #61404. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `fbf11ebdb7110632f93926d0ac7b48f04cb44d77` - PR: #61404 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-gk95-28x9-17dk
Aliases: GHSA-gfg9-5357-hv4c |
OpenClaw: Webchat audio embedding could read local files without local-root containment ## Impact OpenClaw deployments before `2026.4.15` could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths. If an attacker could influence an agent or tool-produced `ReplyPayload.mediaUrl`, the webchat audio embedding helper could resolve an absolute local path or `file:` URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check. The impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.14` - Patched version: `2026.4.15` The latest public release, `2026.4.21`, also contains the fix. ## Patches The public fix threads the applicable local media roots into the webchat audio embedding path and calls `assertLocalMediaAllowed` before local audio content is read. Current `main` also includes an additional `trustedLocalMedia` gate so untrusted model/tool payloads cannot opt into local audio embedding. Fix commit: - `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` ## Workarounds Upgrade to `openclaw@2026.4.15` or later. The latest public release, `2026.4.21`, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs. ## Credits OpenClaw thanks @zsxsoft for reporting. |
Affected by 24 other vulnerabilities. |
|
VCID-gkyv-ahk7-1ud3
Aliases: GHSA-qrp5-gfw2-gxv4 |
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Bundled MCP and LSP tools could be appended to the agent's effective tool set after the normal tool-policy pipeline had already filtered core tools. If an operator configured a restrictive policy, such as a tool profile, explicit allow/deny list, owner-only tool restriction, sandbox tool policy, or subagent tool policy, a bundled MCP/LSP tool could remain available even though the same policy would have denied it. The issue required a configured bundled MCP or LSP tool source and an operator policy that should have restricted that tool. This was a local agent policy-enforcement bypass, not an unauthenticated remote gateway compromise. Severity is medium. ## Fix OpenClaw now applies a final effective tool policy pass to bundled MCP/LSP tools before merging them into the tool set used by normal runs and compaction. The pass covers profile policy, provider profile policy, global/agent/group policies, owner-only filtering, sandbox tool policy, and subagent tool policy. Fix commit: - `0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-h9a4-1twb-d7d1
Aliases: CVE-2026-41389 GHSA-mr34-9552-qr95 |
OpenClaw: Webchat media embedding enforces local-root containment for tool-result files ## Summary Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy. ## Impact A crafted tool-result media reference could cause the host to attempt local file reads or Windows UNC/network path access while preparing webchat media blocks. This could disclose allowed host files or trigger network credential exposure on affected Windows deployments. Severity remains medium because exploitation depends on a tool-result media path reaching the webchat embedding path, but the sink is a host-side file read before the user sees the rendered result. ## Affected versions - Affected: `>= 2026.4.7, < 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` hardens the webchat media path and the shared media resolver. Remote-host `file://` URLs and Windows network paths are rejected before filesystem access, and audio embedding now enforces configured `localRoots` containment before `stat` or read operations. Verified in `v2026.4.15`: - `src/gateway/server-methods/chat-webchat-media.ts` uses safe file-URL parsing, rejects Windows network paths, and calls `assertLocalMediaAllowed` before probing local audio files. - `src/media/web-media.ts` rejects remote-host `file://` URLs, Windows network paths, and local-root bypasses on the shared media path. - `src/gateway/server-methods/chat-webchat-media.test.ts` covers both remote-host `file://` rejection and local-root denial before filesystem access. Fix commits included in `v2026.4.15` and absent from `v2026.4.14`: - `1470de5d3e0970856d86cd99336bb8ada3fe87da` via PR #67293 - `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` via PR #67298 - `52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc` via PR #67303 as defense-in-depth for trusted media passthrough anchoring Thanks to @Kherrisan for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-hy24-6xpe-pkb7
Aliases: CVE-2026-43566 GHSA-g2hm-779g-vm32 |
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events ## Summary Heartbeat owner downgrade missed untrusted webhook wake events. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.7 < 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Heartbeat owner downgrade logic could skip webhook wake events carrying untrusted content, preserving owner-like execution context where the run should have been downgraded. ## Technical Details The fix includes wake and hook event reasons in owner-downgrade inspection and forces downgrade for untrusted hook wake events. ## Fix The issue was fixed in #66031. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `31281bc92f55796817a92bc43f722cba1e77ab42` - PR: #66031 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-hz33-9efv-c7ef
Aliases: GHSA-72q8-jcmc-97wx |
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Feishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped `dmPolicy` enforcement for card actions, so a sender in a Feishu DM could trigger card-action flows that should have been blocked by a restrictive DM policy. The issue is limited to Feishu card-action handling. Severity is medium. ## Fix OpenClaw now resolves Feishu card-action chat type before dispatch, including API lookup when stored context is unavailable, and avoids falling through to group handling for DMs. Fix commit: - `90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-jshg-1pb2-wbak
Aliases: CVE-2026-44116 GHSA-2hh7-c75g-qj2r |
OpenClaw validates Zalo outbound photo URLs through the SSRF guard ## Summary Zalo outbound photo URLs are validated through the SSRF guard. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact The Zalo plugin could forward an attacker-controlled outbound photo URL to the Zalo Bot API without first applying OpenClaw's SSRF validation policy. ## Fix Zalo sendPhoto now parses and validates outbound photo URLs with the shared SSRF hostname policy before posting to Zalo, and media-reply paths route through the guarded outbound media helpers. ## Fix Commit(s) - a65eb1b864b7630c1242a82de9e5799b80583c3f ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @foodlook for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-k8s8-zjv4-gqdb
Aliases: GHSA-xrq9-jm7v-g9h7 |
OpenClaw: Paired-device pairing actions were not limited to the caller device ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling. This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low. ## Fix Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests. Fix commit: - `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-k8x3-9pv7-rfax
Aliases: CVE-2026-42438 GHSA-jhpv-5j76-m56h |
OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure ## Summary OpenClaw's outbound host-media attachment read helper could enable host-local file reads based on global or agent-level read access without also honoring sender and group-scoped tool policy. In channel deployments that used `toolsBySender` or group policy to deny `read` for less-trusted senders, a denied sender could still trigger host-media attachment loading and cause readable local files to be returned through the outbound media path. ## Affected Versions This issue is known to affect OpenClaw 2026.4.9. Earlier versions were not confirmed during triage, so the advisory range is intentionally scoped to `>= 2026.4.9 < 2026.4.10`. ## Impact Affected deployments are those that both allow host read or filesystem root expansion at the global/agent level and rely on sender or group-scoped policy to deny `read` for some channel participants. In that configuration, the intended sender/group authorization boundary could be bypassed for outbound media reads, potentially disclosing host-local files readable by the OpenClaw process. The issue does not require treating the model prompt as the security boundary. The vulnerable behavior was a concrete policy enforcement mismatch: sender/group policy denied `read`, while the host-media read helper could still be installed without that sender context. ## Resolution Fixed in OpenClaw 2026.4.10 by PR #64459, commit `c949af9fabf3873b5b7c484090cb5f5ab6049a98`. The fix threads sender, session, channel, and account context into outbound media access resolution and intersects host-media read capability creation with the existing group tool policy for `read`. When a concrete sender/group override denies `read`, OpenClaw no longer creates the host `readFile` media capability. Additional attachment canonicalization hardening shipped in 2026.4.14, but the authorization bypass described here was fixed in 2026.4.10. ## Credit Thanks to @Telecaster2147 for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-kcy2-a98b-uyg7
Aliases: GHSA-x3h8-jrgh-p8jx |
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs ## Summary Exec allowlist analysis rejects shell expansion in unquoted heredocs ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact An allowlisted command containing an unquoted heredoc could hide shell expansion in the heredoc body. That could make the approved command text look safer than what the shell would evaluate at runtime. ## Fix The exec command analyzer now tracks heredoc bodies, rejects unquoted heredoc expansion tokens and continuation-splice bypasses, and preserves quoted heredocs and literal safe text. ## Fix Commit(s) - b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-kxmf-d7w1-xfcv
Aliases: CVE-2026-44110 GHSA-2gvc-4f3c-2855 |
OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior. |
Affected by 24 other vulnerabilities. |
|
VCID-mszk-dr24-xugw
Aliases: CVE-2026-43567 GHSA-jf25-7968-h2h5 |
OpenClaw: screen_record outPath bypassed workspace-only filesystem guard ## Summary screen_record outPath bypassed workspace-only filesystem guard. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The node-host screen recording tool could honor an `outPath` outside the workspace guard, allowing an authorized tool call to write outside the intended workspace boundary. ## Technical Details The fix applies the workspace-root guard to node tool `outPath` handling, including screen recording paths. ## Fix The issue was fixed in #63551. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `635bb35b68d8faa5bfa2fda35feadd315122748a` - PR: #63551 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @anshumanbh for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-mxu5-yjqs-nuap
Aliases: CVE-2026-43573 GHSA-527m-976r-jf79 |
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement ## Summary Existing-session browser interaction routes bypassed SSRF policy enforcement. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Existing-session browser interaction routes could continue interacting with or navigating targets without applying the same SSRF navigation guard used by guarded browser routes. ## Technical Details The fix guards existing-session navigation and interaction routes with browser navigation policy checks. ## Fix The issue was fixed in #64370. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `daeb74920d5ad986cb600625180037e23221e93a` - PR: #64370 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-nkh4-j2pe-1qhr
Aliases: CVE-2026-44117 GHSA-c4qg-j8jg-42q5 |
OpenClaw: QQBot direct media upload skipped URL SSRF validation ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The QQBot direct-upload media path could forward attacker-controlled image URLs without applying the SSRF validation used by the local download path. This could make configured QQBot media delivery request or relay URLs the operator did not intend to allow. The affected path is limited to QQBot outbound media handling and does not expose arbitrary local files. Severity is low. ## Fix OpenClaw now validates QQBot direct-upload media URLs before `uploadC2CMedia` and `uploadGroupMedia` direct-upload calls. Fix commit: - `49db424c8001f2f419aad85f434894d8d85c1a09` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ns77-4wfj-9ka6
Aliases: CVE-2026-43571 GHSA-82qx-6vj7-p8m2 |
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows ## Summary Channel setup catalog lookups could include untrusted workspace plugin shadows. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Channel setup could resolve a workspace plugin shadow before a bundled channel plugin, causing setup-time plugin loading without the intended trust gate. ## Technical Details The fix routes setup catalog lookups through trusted catalog paths and uses `excludeWorkspace: true` where setup should not include workspace shadows. ## Fix The issue was fixed in the advisory fix branch. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `1fede43b948df40ca8674511d4bd08d39f6c5837` - PR: private advisory fork ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-nv6g-7gs9-pfan
Aliases: GHSA-92jp-89mq-4374 |
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials ## Summary Sandbox noVNC helper route exposed interactive browser session credentials. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.21 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox noVNC helper route could be reached without the intended bridge authentication, exposing an interactive browser session surface. ## Technical Details The fix gates the sandbox noVNC helper route behind bridge authentication. ## Fix The issue was fixed in #63882. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `8dfbf3268bd224b7377d1ecca77a445100746085` - PR: #63882 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-p8xd-2um4-9ufr
Aliases: CVE-2026-41908 GHSA-v8qf-fr4g-28p2 |
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact The Control UI assistant-media route authenticated trusted-proxy callers but did not enforce the declared operator scopes for identity-bearing HTTP auth paths. A trusted-proxy caller without `operator.read` could access assistant-media files and metadata that were otherwise inside allowed media roots. The route still required successful gateway authentication and media-root checks. Severity is low. ## Fix Assistant-media file and metadata requests now require `operator.read` on identity-bearing HTTP auth paths. Fix commit: - `99ef3a63c58440d53f8e45ad861b846032fcb036` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-pae5-uyu7-k3c1
Aliases: CVE-2026-43580 GHSA-536q-mj95-h29h |
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage ## Summary Browser press/type interaction routes missed complete navigation guard coverage. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF policy enforcement. ## Technical Details The fix applies a three-phase interaction navigation guard to navigation-capable interactions, including pressKey and type submit flows. ## Fix The issue was fixed in #62023 and #63226 and #63889. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe` - `5f5b3d733bdd791cb457f838514179e1288b10b3` - `e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894` - PR: #62023, #63226, #63889 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-pj41-sunw-vbcj
Aliases: GHSA-g375-h3v6-4873 |
OpenClaw: Heartbeat owner downgrade missed local async exec completion events ## Summary Heartbeat owner downgrade missed local async exec completion events. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.3.31 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Local background exec completion text could be missed by heartbeat owner-downgrade detection, leaving a run in a more privileged context than intended after untrusted completion content. ## Technical Details The fix expands exec-completion detection to local background exec formats and adds targeted tests. ## Fix The issue was fixed in #64376. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `19a2e9ddb5a8a494abcba812bb11f51075026a27` - PR: #64376 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-qedr-a3ay-v3gx
Aliases: CVE-2026-42433 GHSA-7jp6-r74r-995q |
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools ## Summary Matrix profile config persistence was reachable from operator.write message tools. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Gateway `operator.write` message-tool paths could reach Matrix profile persistence that should have required admin-level authority. ## Technical Details The fix gates Matrix profile updates for non-owner message-tool runs and prevents write-scoped callers from mutating persistent profile config. ## Fix The issue was fixed in #62662. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `fe0f686c9228fffcec6de4011da45e69a6e23e54` - PR: #62662 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-rr6t-1193-ybgz
Aliases: CVE-2026-44995 GHSA-mj59-h3q9-ghfh |
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Workspace MCP stdio configuration could pass dangerous process-startup environment variables such as `NODE_OPTIONS`, `LD_PRELOAD`, or `BASH_ENV` to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server. The impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical. ## Fix OpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers. Fix commits: - `62fa5071896e95edc7f67d1cebc70a2859e283af` - `85d86ebc4bf3d2226d39d132a484f4f7a299fa1b` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-rvcq-rqbq-4khp
Aliases: CVE-2026-42437 GHSA-vw3h-q6xq-jjm5 |
OpenClaw: Voice-call realtime WebSocket accepted oversized frames ## Summary Voice-call realtime WebSocket accepted oversized frames. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.9 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The voice-call realtime WebSocket path could accept oversized frames, creating a remote availability risk for deployments exposing that webhook path. ## Technical Details The fix rejects oversized realtime WebSocket frames before processing them. ## Fix The issue was fixed in #63890. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `afadb7dae6738819ad9c7d2597ace0516957d20e` - PR: #63890 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Reporters Thanks to G0odUser from ADLab of VenusTech Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-ry1r-br3q-2uaw
Aliases: CVE-2026-44118 GHSA-r6xh-pqhr-v4xh |
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens ## Summary MCP loopback owner context is derived from server-issued bearer tokens. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact The loopback MCP path accepted spoofable owner-context metadata from request headers, which could allow a non-owner loopback client to present itself as owner for owner-gated operations. ## Fix The MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request. The spoofable sender-owner header is no longer emitted or trusted. ## Fix Commit(s) - 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-t2ve-xemk-mqa9
Aliases: CVE-2026-44112 GHSA-wppj-c6mr-83jj |
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root ## Summary OpenShell FS bridge writes stay pinned to the sandbox mount root ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem writes could let a symlink swap redirect a write outside the intended local mount root. ## Fix OpenShell write paths now validate the canonical target against the mount root, reject unsafe symlink parents and symlink leaves for writes, and use root-scoped write helpers before syncing to the remote sandbox. ## Fix Commit(s) - 7be82d4fd1193bcb7e44ee38838f00bf924ffa76 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-t2yy-9ume-t7be
Aliases: CVE-2026-43535 GHSA-jwrq-8g5x-5fhm |
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context ## Summary Collect-mode queue batches could reuse the last sender authorization context. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact Collect-mode queued messages from different senders could be drained as one batch using the final sender's authorization context, allowing earlier messages to inherit a more privileged context. ## Technical Details The fix splits collect-mode batches by sender authorization context before dispatch, preserving each message's own trust state. ## Fix The issue was fixed in #66024. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `43d4be902755c970b3d15608679761877718da69` - PR: #66024 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-vz7k-r7c4-ebfg
Aliases: GHSA-j4c5-89f5-f3pm |
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Browser profile creation normalized `cdpUrl` values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a private-network or metadata endpoint and later be probed by normal profile status flows. Default trusted-operator browser behavior allows private-network CDP endpoints, so this only affected strict-mode deployments. Severity is low. ## Fix OpenClaw now checks CDP endpoints against the browser SSRF policy during profile creation and reachability operations. Fix commits: - `1fd049e3074cac72f6734a7fe88468c84f5f8bd7` - `e90c89cf8b1459f2aa1f3a665be67392b6c03fdf` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-w2yd-uw91-9yck
Aliases: CVE-2026-44992 GHSA-h2vw-ph2c-jvwf |
OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.4.5, < 2026.4.20` - Patched version: `2026.4.20` ## Impact A malicious workspace `.env` could set `MINIMAX_API_HOST` and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the outbound `Authorization` header. This requires running OpenClaw from an attacker-controlled workspace. Severity is medium. ## Fix OpenClaw now blocks `MINIMAX_API_HOST` from workspace dotenv injection and removes env-driven URL routing from the affected MiniMax request path. Fix commit: - `2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-wyat-1259-2kg9
Aliases: CVE-2026-43532 GHSA-c9h3-5p7r-mrjh |
OpenClaw: Discord event cover images bypassed sandbox media normalization ## Summary Discord event cover images bypassed sandbox media normalization. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.7 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Discord event cover image parameters could bypass the sandbox media normalization path used for outbound local media, allowing host-local media references to reach a channel action path that expected normalized media. ## Technical Details The fix includes Discord `eventCreate.image` in sandbox media normalization and adds coverage for the event-create media path. ## Fix The issue was fixed in #64377. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `979c6f09d6fad96596feb91c905934be7e0b4f15` - PR: #64377 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-x2ru-ydpv-f3ah
Aliases: CVE-2026-43529 GHSA-gj9q-8w99-mp8j |
OpenClaw: TOCTOU read in exec script preflight ## Summary OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The impact is limited. This was not arbitrary full-file disclosure through the preflight error path. The validator only surfaced derived preflight content, such as a matched token, a line number, or the first non-empty JavaScript line in one branch. Exploitation also required the ability to mutate the relevant workspace path during the preflight window. Still, this was a real TOCTOU boundary bug in code that is supposed to reason about workspace-local script files before execution. A file identity that passed the initial boundary validation could differ from the identity that was later read for preflight analysis. ## Technical Details The vulnerable flow performed separate path validation and file reads in `validateScriptFileForShellBleed`. Because the read was path-based, an attacker with write access to the workspace path could race replacement of the target after validation but before preflight read. ## Fix PR #62333 replaced the check-then-read flow with a pinned safe-open/read path using the shared `readFileWithinRoot` helper. The fixed path performs boundary verification around the opened file identity and avoids relying on a mutable pathname for the final preflight read. Regression tests cover both pre-open and post-open swap windows. ## Fix Commit(s) - `b024fae9e5df43e9b69b2daebb72be3469d52e91` (`fix(exec): replace TOCTOU check-then-read with atomic pinned-fd open in script preflight [AI]`) - PR: #62333 ## Release Process Note The fix first shipped in `v2026.4.10`. Users should upgrade to `openclaw` `2026.4.10` or newer; the latest npm release already includes the fix. ## Credits Thanks to @kikayli for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-xj73-kszs-yygp
Aliases: CVE-2026-44997 GHSA-q3jj-46pq-826r |
OpenClaw's ACP child sessions inherit subagent security envelope constraints ## Summary ACP child sessions inherit subagent security envelope constraints. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A restricted subagent spawning an ACP child session could fail to carry forward subagent-only constraints such as depth, child-count limits, control scope, or target-agent restrictions. ## Fix ACP spawn now resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies the inherited control scope to child ACP sessions. ## Fix Commit(s) - 31160dc069b7cc5d833b39c53736a41ad3befda2 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @zsxsoft, @qclawer, and @KeenSecurityLab for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-xsct-xjs7-nbab
Aliases: CVE-2026-44109 GHSA-xh72-v6v9-mwhc |
OpenClaw: Feishu webhook and card-action validation now fail closed ## Summary Feishu webhook mode accepted missing `encryptKey` configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. ## Impact A deployment using Feishu webhook mode without a configured `encryptKey`, or handling malformed card-action callbacks with blank callback tokens, could fail open instead of rejecting the request. Severity remains critical because affected webhook deployments expose a network-triggered path into OpenClaw command handling without the expected Feishu signature or replay protection. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` makes Feishu webhook and card-action validation fail closed. Webhook mode now refuses to start without an `encryptKey`, missing signing configuration returns invalid instead of valid, invalid signatures return `401`, and blank card-action callback tokens are rejected before dispatch. Verified in `v2026.4.15`: - `extensions/feishu/src/monitor.transport.ts` returns invalid when `encryptKey` is missing, refuses webhook mode without `encryptKey`, and rejects invalid signatures before JSON handling. - `extensions/feishu/src/card-action.ts` rejects blank callback tokens in the card-action lifecycle guard. - `extensions/feishu/src/monitor.webhook-security.test.ts` covers missing-`encryptKey` startup and transport rejection. - `extensions/feishu/src/monitor.card-action.lifecycle.test.ts` covers malformed blank-token card actions being dropped before handler dispatch. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `c8003f1b33ed2924be5f62131bd28742c5a41aae` via PR #66707 Thanks to @dhyabi2 for reporting this issue. |
Affected by 24 other vulnerabilities. |
|
VCID-y65g-4baa-a7c2
Aliases: CVE-2026-45002 GHSA-2xcp-x87w-q377 |
OpenClaw: Hook mapping templates could bypass hook session-key opt-in ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Templated hook mapping `sessionKey` values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when `hooks.allowRequestSessionKey` was disabled, bypassing the intended routing opt-in for hook callers. This affects webhook routing isolation. It does not grant host execution by itself. Severity is medium. ## Fix Template-rendered mapping session keys are now treated as externally supplied routing input and require `hooks.allowRequestSessionKey=true` plus the existing prefix policy checks. Fix commit: - `5275d008ed33203dba3f98e969ad683a65c416c3` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ye4t-n6r3-67ab
Aliases: GHSA-cwj3-vqpp-pmxr |
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes ## Summary The agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations. ## Impact A prompt-injected or otherwise compromised model running with access to the owner-only `gateway` tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven `gateway config.apply` and `gateway config.patch` now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked. ## Fix Commit(s) - `bceda6089aa7b3695cc7696b43c61ae3d01bb0ec` (`fix(gateway): fail closed on runtime config edits`) ## Severity Severity remains `high`. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation. |
Affected by 0 other vulnerabilities. |
|
VCID-yhpq-5qy3-y7bn
Aliases: CVE-2026-44114 GHSA-hxvm-xjvf-93f3 |
OpenClaw: Workspace dotenv could override runtime-control environment variables ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Workspace `.env` loading did not reserve the `OPENCLAW_` runtime-control namespace broadly enough. A malicious workspace could set variables such as `OPENCLAW_GIT_DIR` before source-update or installer flows, potentially steering trusted OpenClaw runtime behavior. This requires running OpenClaw from an attacker-controlled workspace. Severity is medium. ## Fix OpenClaw now reserves the workspace `OPENCLAW_` environment namespace and rejects workspace dotenv entries for OpenClaw runtime-control variables. Fix commit: - `018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6` ## Release Fixed in OpenClaw `2026.4.20`. |
Affected by 12 other vulnerabilities. |
|
VCID-ymmv-2qmq-6kap
Aliases: CVE-2026-44113 GHSA-5h3g-6xhh-rg6p |
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes ## Summary OpenShell FS bridge reads pin and verify the opened file before returning bytes ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem reads could let a symlink swap cause bytes outside the intended mount root to be read. ## Fix OpenShell reads now open the file with no-follow semantics where available, validate the pinned file descriptor against the canonical mount root, reject unsafe hardlink/symlink cases, and use a strict fallback ancestor walk on platforms without fd-path readback. ## Fix Commit(s) - 95119017c847c737bd113f0bff728c4666d79c45 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. Thanks @VladimirEliTokarev for reporting. |
Affected by 3 other vulnerabilities. |
|
VCID-zg68-u5b5-vkft
Aliases: CVE-2026-43534 GHSA-7g8c-cfr3-vqqr |
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input ## Summary Agent hook events could enqueue trusted system events from unsanitized external input. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Agent hook dispatch could turn externally supplied hook metadata into trusted system events, allowing untrusted input to enter the agent as higher-trust context. ## Technical Details The fix sanitizes hook names and marks agent hook system events as untrusted before enqueueing them. ## Fix The issue was fixed in #64372. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `e3a845bde5b54f4f1e742d0a51ba9860f9619b29` - PR: #64372 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-zpte-tgt5-wqcm
Aliases: CVE-2026-42439 GHSA-rj2p-j66c-mgqh |
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy ## Summary Browser tabs action select and close routes bypassed SSRF policy. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The browser `/tabs/action` select and close branches could operate on targets without enforcing configured browser SSRF policy, weakening tab-level navigation protections. ## Technical Details The fix enforces browser SSRF policy in the select and close tab-action branches. ## Fix The issue was fixed in #63332. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `48c0347921b7e9438af0312968fc360ca88023f3` - PR: #63332 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue. |
Affected by 42 other vulnerabilities. |
|
VCID-zu4s-jnn3-1kd8
Aliases: CVE-2026-43584 GHSA-vfp4-8x56-j7c5 |
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables ## Summary Exec environment denylist missed high-risk interpreter startup variables. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The exec environment policy missed interpreter startup variables such as `VIMINIT`, `EXINIT`, `LUA_INIT`, and `HOSTALIASES`, allowing operator-supplied environment overrides to influence downstream execution or network behavior. ## Technical Details The fix expands the host environment security policy denylist to cover these and related high-risk environment variables, with regression coverage. ## Fix The issue was fixed in #63277. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `2d126fc62343a7b6895351f96e4e1474bc358140` - PR: #63277 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue. |
Affected by 42 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-arks-g6hw-abbw | OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins ## Summary Workspace provider auth choices could auto-enable untrusted provider plugins. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact Non-interactive onboarding could select a provider auth choice shadowed by an untrusted workspace plugin, auto-enabling that plugin during auth setup. ## Technical Details The fix prefers trusted provider origins for auth choices and excludes untrusted workspace choices unless they are explicitly enabled. ## Fix The issue was fixed in #62368. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `2d97eae53e212ae26f3aebcd6a50ffc6877f770d` - PR: #62368 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zpbrent for reporting this issue. |
CVE-2026-43569
GHSA-939r-rj45-g2rj |
| VCID-pdmd-a4fg-8fcg | OpenClaw: Workspace .env could inject OpenClaw runtime-control variables ## Summary Workspace .env could inject OpenClaw runtime-control variables. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact A malicious workspace `.env` file could set OpenClaw runtime-control variables affecting update sources, gateway URLs, ClawHub resolution, browser executable paths, and related behavior. ## Technical Details The fix blocks OpenClaw runtime-control keys and key families from workspace `.env` loading. ## Fix The issue was fixed in #62660. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `dbfcef319618158fa40b31cdac386ea34c392c0c` - PR: #62660 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab for reporting this issue. |
CVE-2026-43531
GHSA-7wv4-cc7p-jhxc |
| VCID-w2tj-nqa6-cuam | OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads ## Summary Browser interaction routes could pivot into local CDP and regain file reads. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.9` - Patched versions: `>= 2026.4.9` ## Impact Browser act/evaluate interactions could trigger navigation into the local CDP origin and then create or read disallowed `file://` pages despite direct navigation guards. ## Technical Details The fix re-checks browser URLs after interaction-driven navigations and blocks targets that violate the configured navigation policy. ## Fix The issue was fixed in #63226. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `5f5b3d733bdd791cb457f838514179e1288b10b3` - PR: #63226 ## Release Process Note Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @tdjackey for reporting this issue. |
GHSA-qmwg-qprg-3j38
|