Package Instance

Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-hjvp-qhm6-wrh2. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.

Duplicate Advisory: allowlist exec-guard bypass via env -S
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-48wf-g7cp-gr3m. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowlisted, attackers can use env -S to bypass policy analysis and execute shell wrapper payloads at runtime.

Duplicate Advisory: OpenClaw has browser trace/download path symlink escape in temp output handling
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-36h3-7c54-j27r. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside the intended temp directory, enabling arbitrary file overwrite on the affected system.

Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-rxxp-482v-7mrh. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability.

Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-5mx2-2mgw-x8rm. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.

Duplicate Advisory: Signal group allowlist authorization bypass via DM pairing-store leakage
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-wm8r-w8pf-2v6w. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized group access.

Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vqx8-9xxw-f2m7. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state transitions, potentially causing incorrect call handling and state corruption.

Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-q399-23r3-hfx4. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved, enabling arbitrary command execution.

Duplicate Advisory: Exec allowlist wrapper analysis did not unwrap env/shell dispatch chains
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-jj82-76v6-933r. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to smuggle payloads that satisfy allowlist entries while executing non-allowlisted commands.

Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-6j27-pc5c-m8w8. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can approve benign wrapped system.run commands and subsequently execute different payloads without approval, enabling remote code execution on gateway and node-host execution flows.

Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-43x4-g22p-3hrq. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leverage the disabled OS-level sandbox protections in the Chromium browser container to achieve code execution on the host system.

Duplicate Advisory: OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-xgf2-vxv2-rrmg. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.

Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-5f9p-f3w2-fwch. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute arbitrary commands on the paired host.

Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-9868-vxmx-w862. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $\\ followed by a newline and opening parenthesis inside double quotes, causing the shell to fold the line continuation into executable command substitution that circumvents approval boundaries.

Duplicate Advisory: web_search citation redirect SSRF via private-network-allowing policy
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-g99v-8hwm-g76g. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can influence citation redirect targets can trigger internal-network requests from the OpenClaw host to loopback, private, or internal destinations.

Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-hff7-ccv5-52f8. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication credentials.

Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-25gx-x37c-7pph. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.

Duplicate Advisory: OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns
## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-p7gr-f84w-hqg5. This link is maintained to preserve external references.

## Original Description
OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions.