{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","type":"npm","namespace":"","name":"openclaw","version":"2026.2.23","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2026.2.24","latest_non_vulnerable_version":"2026.3.11","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50439?format=json","vulnerability_id":"VCID-236n-3xbh-xba7","summary":"OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode\nIn OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.23","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.23"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28363","reference_id":"CVE-2026-28363","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28363"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78","reference_id":"GHSA-3c6h-g97w-fg78","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78"},{"reference_url":"https://github.com/advisories/GHSA-7977-c43c-xpwj","reference_id":"GHSA-7977-c43c-xpwj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7977-c43c-xpwj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["CVE-2026-28363","GHSA-7977-c43c-xpwj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-236n-3xbh-xba7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50598?format=json","vulnerability_id":"VCID-4298-8wwm-5fez","summary":"OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default)\nIn some opt-in sandbox configurations, the **experimental** `apply_patch` tool did not consistently apply workspace-only checks to mounted paths (for example `/agent/...`).","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/6634030be31e1a1842967df046c2f2e47490e6bf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/6634030be31e1a1842967df046c2f2e47490e6bf"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-in-apply-patch-tool-via-workspace-only-check-bypass","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-in-apply-patch-tool-via-workspace-only-check-bypass"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32007","reference_id":"CVE-2026-32007","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32007"},{"reference_url":"https://github.com/advisories/GHSA-h9xm-j4qg-fvpg","reference_id":"GHSA-h9xm-j4qg-fvpg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h9xm-j4qg-fvpg"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h9xm-j4qg-fvpg","reference_id":"GHSA-h9xm-j4qg-fvpg","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h9xm-j4qg-fvpg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["CVE-2026-32007","GHSA-h9xm-j4qg-fvpg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4298-8wwm-5fez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50554?format=json","vulnerability_id":"VCID-6g5n-5y59-aqhn","summary":"OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse\nTwilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/1d28da55a5d0ff409e34999e0961157e9db0a2ab","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/1d28da55a5d0ff409e34999e0961157e9db0a2ab"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-twilio-webhook-replay-bypass-via-randomized-event-id-normalization","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-twilio-webhook-replay-bypass-via-randomized-event-id-normalization"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32053","reference_id":"CVE-2026-32053","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32053"},{"reference_url":"https://github.com/advisories/GHSA-vqx8-9xxw-f2m7","reference_id":"GHSA-vqx8-9xxw-f2m7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vqx8-9xxw-f2m7"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqx8-9xxw-f2m7","reference_id":"GHSA-vqx8-9xxw-f2m7","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqx8-9xxw-f2m7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["CVE-2026-32053","GHSA-vqx8-9xxw-f2m7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6g5n-5y59-aqhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50588?format=json","vulnerability_id":"VCID-a7ay-d7ey-p3gz","summary":"OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL\n`shell-env` fallback trusted prefix-based executable paths for `$SHELL`, allowing execution of attacker-controlled binaries in local/runtime-env influence scenarios.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22217","reference_id":"CVE-2026-22217","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22217"},{"reference_url":"https://github.com/advisories/GHSA-p4wh-cr8m-gm6c","reference_id":"GHSA-p4wh-cr8m-gm6c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-p4wh-cr8m-gm6c"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p4wh-cr8m-gm6c","reference_id":"GHSA-p4wh-cr8m-gm6c","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p4wh-cr8m-gm6c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["CVE-2026-22217","GHSA-p4wh-cr8m-gm6c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a7ay-d7ey-p3gz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50441?format=json","vulnerability_id":"VCID-aj68-v9vn-r7bh","summary":"OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata\nThe OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/12cc754332f9a7c92e158ce7644aa22df79c0904","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/12cc754332f9a7c92e158ce7644aa22df79c0904"},{"reference_url":"https://github.com/openclaw/openclaw/commit/63dcd28ae0be2de1c75af09cc81841cebeec068f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/63dcd28ae0be2de1c75af09cc81841cebeec068f"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.23","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.23"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-acp-permission-auto-approval-bypass-via-untrusted-tool-metadata","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-acp-permission-auto-approval-bypass-via-untrusted-tool-metadata"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32898","reference_id":"CVE-2026-32898","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32898"},{"reference_url":"https://github.com/advisories/GHSA-7jx5-9fjg-hp4m","reference_id":"GHSA-7jx5-9fjg-hp4m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7jx5-9fjg-hp4m"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7jx5-9fjg-hp4m","reference_id":"GHSA-7jx5-9fjg-hp4m","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7jx5-9fjg-hp4m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["CVE-2026-32898","GHSA-7jx5-9fjg-hp4m"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aj68-v9vn-r7bh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50616?format=json","vulnerability_id":"VCID-bh1b-65yw-rkfn","summary":"OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation\n`tools.exec` allowlist/safe-bins evaluation could diverge from runtime execution for wrapper commands using GNU `env -S/--split-string` semantics. This allowed policy checks to treat a command as a benign safe-bin invocation while runtime executed a different payload.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a1c4bf07c6baad3ef87a0e710fe9aef127b1f606","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/a1c4bf07c6baad3ef87a0e710fe9aef127b1f606"},{"reference_url":"https://github.com/advisories/GHSA-796m-2973-wc5q","reference_id":"GHSA-796m-2973-wc5q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-796m-2973-wc5q"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q","reference_id":"GHSA-796m-2973-wc5q","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-796m-2973-wc5q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["GHSA-796m-2973-wc5q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bh1b-65yw-rkfn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50480?format=json","vulnerability_id":"VCID-f8c1-shx2-kyg3","summary":"OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)\nOpenClaw exec approvals could be bypassed in `allowlist` mode when `allow-always` was granted through unrecognized multiplexer shell wrappers (notably `busybox sh -c` and `toybox sh -c`).","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a67689a7e3ad494b6637c76235a664322d526f9e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/a67689a7e3ad494b6637c76235a664322d526f9e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22175","reference_id":"CVE-2026-22175","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22175"},{"reference_url":"https://github.com/advisories/GHSA-gwqp-86q6-w47g","reference_id":"GHSA-gwqp-86q6-w47g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gwqp-86q6-w47g"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gwqp-86q6-w47g","reference_id":"GHSA-gwqp-86q6-w47g","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gwqp-86q6-w47g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["CVE-2026-22175","GHSA-gwqp-86q6-w47g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f8c1-shx2-kyg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50535?format=json","vulnerability_id":"VCID-f8pb-7mzk-pbhc","summary":"OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From\n`commands.allowFrom` is documented as a sender authorization allowlist for commands/directives, but command authorization could include `ctx.From` (conversation identity) as a sender candidate.\n\nWhen `commands.allowFrom` contained conversation-like identifiers (for example Discord `channel:<id>` or WhatsApp group JIDs), command/directive authorization could be granted to participants in that conversation instead of only the intended sender identity.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/08e2aa44e78a9c946d97bea62304e6f533b8fa8e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/08e2aa44e78a9c946d97bea62304e6f533b8fa8e"},{"reference_url":"https://github.com/advisories/GHSA-2ch6-x3g4-7759","reference_id":"GHSA-2ch6-x3g4-7759","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2ch6-x3g4-7759"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2ch6-x3g4-7759","reference_id":"GHSA-2ch6-x3g4-7759","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2ch6-x3g4-7759"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["GHSA-2ch6-x3g4-7759"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f8pb-7mzk-pbhc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50628?format=json","vulnerability_id":"VCID-ntfj-t4vw-6uac","summary":"OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation\nThe HTML session exporter (`src/auto-reply/reply/export-html/template.js`) interpolates `img.mimeType` directly into `<img src=\"data:...\">` attributes without validation or escaping. A crafted `mimeType` value (e.g., `x\" onerror=\"alert(1)`) can break out of the attribute context and execute arbitrary JavaScript.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/f3adf142c195000cbde31200626a1d8c8b716df9","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/f3adf142c195000cbde31200626a1d8c8b716df9"},{"reference_url":"https://github.com/openclaw/openclaw/pull/24140","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/pull/24140"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-html-injection-via-unvalidated-image-mime-type-in-data-url-interpolation","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-html-injection-via-unvalidated-image-mime-type-in-data-url-interpolation"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32040","reference_id":"CVE-2026-32040","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32040"},{"reference_url":"https://github.com/advisories/GHSA-2ww6-868g-2c56","reference_id":"GHSA-2ww6-868g-2c56","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2ww6-868g-2c56"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2ww6-868g-2c56","reference_id":"GHSA-2ww6-868g-2c56","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2ww6-868g-2c56"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["CVE-2026-32040","GHSA-2ww6-868g-2c56"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ntfj-t4vw-6uac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50672?format=json","vulnerability_id":"VCID-pmgv-7bsa-wbad","summary":"OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images\nIn OpenClaw, the sandboxed `image` tool did not honor `tools.fs.workspaceOnly=true` for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images (for example `/agent/*`) and forwarding those bytes to vision model providers.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-image-tool-workspaceonly-bypass","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-image-tool-workspaceonly-bypass"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32002","reference_id":"CVE-2026-32002","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32002"},{"reference_url":"https://github.com/advisories/GHSA-q6qf-4p5j-r25g","reference_id":"GHSA-q6qf-4p5j-r25g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-q6qf-4p5j-r25g"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q6qf-4p5j-r25g","reference_id":"GHSA-q6qf-4p5j-r25g","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q6qf-4p5j-r25g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["CVE-2026-32002","GHSA-q6qf-4p5j-r25g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pmgv-7bsa-wbad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50650?format=json","vulnerability_id":"VCID-psws-4czh-h3d1","summary":"OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode\nIn OpenClaw, `tools.exec.safeBins` validation for `sort` could be bypassed via GNU long-option abbreviations in allowlist mode, allowing approval-free execution paths that should require approval.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32059","reference_id":"CVE-2026-32059","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32059"},{"reference_url":"https://github.com/advisories/GHSA-3c6h-g97w-fg78","reference_id":"GHSA-3c6h-g97w-fg78","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3c6h-g97w-fg78"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78","reference_id":"GHSA-3c6h-g97w-fg78","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["CVE-2026-32059","GHSA-3c6h-g97w-fg78"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-psws-4czh-h3d1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50600?format=json","vulnerability_id":"VCID-qwqp-9ymd-syat","summary":"OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt\nIn `openclaw` versions up to and including `2026.2.22-2`, a non-default exec-approval configuration could allow a skill-name collision to bypass an `ask=on-miss` prompt.\n\nWhen `autoAllowSkills=true`, a path-scoped executable such as `./skill-bin` could resolve to basename `skill-bin`, satisfy the `skills` allowlist segment, and run without prompting for approval.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ffd63b7a2c4c6d5aeb4710ef951d5794ad7ad77b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/ffd63b7a2c4c6d5aeb4710ef951d5794ad7ad77b"},{"reference_url":"https://github.com/advisories/GHSA-7ff8-xjh3-mgh6","reference_id":"GHSA-7ff8-xjh3-mgh6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7ff8-xjh3-mgh6"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6","reference_id":"GHSA-7ff8-xjh3-mgh6","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7ff8-xjh3-mgh6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["GHSA-7ff8-xjh3-mgh6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qwqp-9ymd-syat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50601?format=json","vulnerability_id":"VCID-vvmq-u18b-ybdu","summary":"OpenClaw has allowlist exec-guard bypass via env -S\nIn `allowlist` mode, `system.run` guardrails could be bypassed through `env -S`, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3f923e831364d83d0f23499ee49961de334cf58b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/3f923e831364d83d0f23499ee49961de334cf58b"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a1c4bf07c6baad3ef87a0e710fe9aef127b1f606","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/a1c4bf07c6baad3ef87a0e710fe9aef127b1f606"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-allowlist-exec-guard-bypass-via-env-s","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-allowlist-exec-guard-bypass-via-env-s"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31992","reference_id":"CVE-2026-31992","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31992"},{"reference_url":"https://github.com/advisories/GHSA-48wf-g7cp-gr3m","reference_id":"GHSA-48wf-g7cp-gr3m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-48wf-g7cp-gr3m"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-48wf-g7cp-gr3m","reference_id":"GHSA-48wf-g7cp-gr3m","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-48wf-g7cp-gr3m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["CVE-2026-31992","GHSA-48wf-g7cp-gr3m"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vvmq-u18b-ybdu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50658?format=json","vulnerability_id":"VCID-ymxk-4rab-bbe2","summary":"OpenClaw has stored XSS in exported session HTML viewer via markdown/raw-HTML rendering\nThe exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/f8524ec77a3999d573e6c6b8a5055bf35c49a2e6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/f8524ec77a3999d573e6c6b8a5055bf35c49a2e6"},{"reference_url":"https://github.com/advisories/GHSA-r294-2894-92j3","reference_id":"GHSA-r294-2894-92j3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-r294-2894-92j3"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3","reference_id":"GHSA-r294-2894-92j3","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r294-2894-92j3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["GHSA-r294-2894-92j3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ymxk-4rab-bbe2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50475?format=json","vulnerability_id":"VCID-zq1n-aqjc-9qdf","summary":"OpenClaw: Node exec approvals could be replayed across nodes\n`exec.approval` requests for `host=node` were not explicitly bound to the target `nodeId`, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4a3f8438e527ac371a67fe7ac68a287f0dbe6063","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/4a3f8438e527ac371a67fe7ac68a287f0dbe6063"},{"reference_url":"https://github.com/advisories/GHSA-6x2m-hqfw-hvpj","reference_id":"GHSA-6x2m-hqfw-hvpj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6x2m-hqfw-hvpj"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj","reference_id":"GHSA-6x2m-hqfw-hvpj","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6x2m-hqfw-hvpj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74336?format=json","purl":"pkg:npm/openclaw@2026.2.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}],"aliases":["GHSA-6x2m-hqfw-hvpj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zq1n-aqjc-9qdf"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.23"}