Package Instance

OpenClaw has browser trace/download path symlink escape in temp output handling
Browser trace/download output path handling allowed symlink-root and symlink-parent escapes from the managed temp root.

OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
In OpenClaw `<= 2026.2.24`, Discord direct-message reaction notifications did not consistently apply the same DM authorization checks (`dmPolicy` / `allowFrom`) that are enforced for normal DM message ingress.

In restrictive DM setups, a non-allowlisted Discord user who can react to a bot-authored DM message could still enqueue a reaction-derived system event in the session.

This is a reaction-only ingress inconsistency. By itself it does not directly execute commands; practical impact depends on downstream automation/tool policy.

OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing
When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart.

OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
The gateway `agents.files.get` and `agents.files.set` methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example `AGENTS.md`) could resolve outside the agent workspace and be read/written by the gateway process.

This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.

OpenClaw: system.run approval identity mismatch could execute a different binary than displayed
`system.run` approvals in OpenClaw used rendered command text as the approval identity while trimming argv token whitespace. Runtime execution still used raw argv. A crafted trailing-space executable token could therefore execute a different binary than what the approver saw.

OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
This issue is a browser-origin WebSocket auth chain on local loopback deployments using password auth. It is serious, but conditional: an attacker must get the user to open a malicious page and then successfully guess the gateway password.

OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host
In `openclaw@2026.2.24`, approval-bound `system.run` on node hosts could be influenced by mutable symlink `cwd` targets between approval and execution.

OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot
A sandbox path validation bypass in `openclaw` allows host file reads outside `sandboxRoot` via the media path fallback tmp flow when the fallback tmp root is a symlink alias.

OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection
A missing sender-authorization check in Telegram `message_reaction` handling allowed unauthorized users to trigger reaction-derived system events.

OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
A trusted-proxy Control UI pairing bypass accepted `client.id=control-ui` without device identity checks. The bypass did not require `operator` role, so an authenticated `node` role session could connect unpaired and reach node event methods.

OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state
The affected surface is the OpenClaw macOS app onboarding flow, and the macOS app is currently in **beta**.
In that beta onboarding flow, Anthropic OAuth used the PKCE `code_verifier` value as OAuth `state`, exposing that secret in front-channel URL state.

OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations
In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary.

By default, `tools.fs.workspaceOnly` is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only `apply_patch` checks).

OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks
In a narrow Signal reaction-notification path, reaction-only inbound events could enqueue a status event before sender access checks were applied.

OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption
In `openclaw` MS Teams file-consent flow, pending uploads were authorized by `uploadId` alone. `fileConsent/invoke` did not verify the invoke conversation against the conversation that created the pending upload.

OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress
OpenClaw Slack monitor handled `reaction_*` and `pin_*` non-message events before applying sender-policy checks consistently.

In affected versions, these events could be added to system-event context even when sender policy would not normally allow them.

OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows
In shared Slack workspace deployments that rely on sender restrictions (`allowFrom`, DM policy, or channel user allowlists), some interactive callbacks (`block_action`, `view_submission`, `view_closed`) could be accepted before full sender authorization checks.

In that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.

OpenClaw has a IPv6 multicast SSRF classifier bypass
OpenClaw's SSRF IP classifier did not treat IPv6 multicast literals (`ff00::/8`) as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks.

OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
A client using shared gateway auth could attach an unpaired device identity and request elevated operator scopes (including `operator.admin`) before pairing approval, enabling privilege escalation.