{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","type":"npm","namespace":"","name":"openclaw","version":"2026.2.25","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2026.3.2","latest_non_vulnerable_version":"2026.3.11","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50485?format=json","vulnerability_id":"VCID-13gt-wg2j-j3cn","summary":"OpenClaw has browser trace/download path symlink escape in temp output handling\nBrowser trace/download output path handling allowed symlink-root and symlink-parent escapes from the managed temp root.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-browser-trace-download-path-handling","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-browser-trace-download-path-handling"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32054","reference_id":"CVE-2026-32054","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32054"},{"reference_url":"https://github.com/advisories/GHSA-36h3-7c54-j27r","reference_id":"GHSA-36h3-7c54-j27r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-36h3-7c54-j27r"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r","reference_id":"GHSA-36h3-7c54-j27r","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["CVE-2026-32054","GHSA-36h3-7c54-j27r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-13gt-wg2j-j3cn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50576?format=json","vulnerability_id":"VCID-1m1e-ywyj-2qgz","summary":"OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups\nIn OpenClaw `<= 2026.2.24`, Discord direct-message reaction notifications did not consistently apply the same DM authorization checks (`dmPolicy` / `allowFrom`) that are enforced for normal DM message ingress.\n\nIn restrictive DM setups, a non-allowlisted Discord user who can react to a bot-authored DM message could still enqueue a reaction-derived system event in the session.\n\nThis is a reaction-only ingress inconsistency. By itself it does not directly execute commands; practical impact depends on downstream automation/tool policy.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-missing-authorization-check-in-discord-dm-reaction-ingress","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-missing-authorization-check-in-discord-dm-reaction-ingress"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32028","reference_id":"CVE-2026-32028","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32028"},{"reference_url":"https://github.com/advisories/GHSA-354r-7mfh-7rh2","reference_id":"GHSA-354r-7mfh-7rh2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-354r-7mfh-7rh2"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2","reference_id":"GHSA-354r-7mfh-7rh2","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["CVE-2026-32028","GHSA-354r-7mfh-7rh2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1m1e-ywyj-2qgz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50573?format=json","vulnerability_id":"VCID-3f9z-cez9-ykec","summary":"OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing\nWhen Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d512163d686ad6741783e7119ddb3437f493dbbc","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/d512163d686ad6741783e7119ddb3437f493dbbc"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-webhook-replay-attack-via-missing-durable-replay-suppression","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-webhook-replay-attack-via-missing-durable-replay-suppression"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28449","reference_id":"CVE-2026-28449","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28449"},{"reference_url":"https://github.com/advisories/GHSA-r9q5-c7qc-p26w","reference_id":"GHSA-r9q5-c7qc-p26w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-r9q5-c7qc-p26w"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w","reference_id":"GHSA-r9q5-c7qc-p26w","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["CVE-2026-28449","GHSA-r9q5-c7qc-p26w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3f9z-cez9-ykec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50474?format=json","vulnerability_id":"VCID-3yb8-85qk-17dm","summary":"OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write\nThe gateway `agents.files.get` and `agents.files.set` methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example `AGENTS.md`) could resolve outside the agent workspace and be read/written by the gateway process.\n\nThis could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/125f4071bcbc0de32e769940d07967db47f09d3d","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/125f4071bcbc0de32e769940d07967db47f09d3d"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-agents-files-methods","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-agents-files-methods"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32013","reference_id":"CVE-2026-32013","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32013"},{"reference_url":"https://github.com/advisories/GHSA-fgvx-58p6-gjwc","reference_id":"GHSA-fgvx-58p6-gjwc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fgvx-58p6-gjwc"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwc","reference_id":"GHSA-fgvx-58p6-gjwc","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["CVE-2026-32013","GHSA-fgvx-58p6-gjwc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3yb8-85qk-17dm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50502?format=json","vulnerability_id":"VCID-9rch-2vmz-ukgs","summary":"OpenClaw: system.run approval identity mismatch could execute a different binary than displayed\n`system.run` approvals in OpenClaw used rendered command text as the approval identity while trimming argv token whitespace. Runtime execution still used raw argv. A crafted trailing-space executable token could therefore execute a different binary than what the approver saw.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/03e689fc89bbecbcd02876a95957ef1ad9caa176","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/03e689fc89bbecbcd02876a95957ef1ad9caa176"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-approval-identity-mismatch-in-system-run-command-execution","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-approval-identity-mismatch-in-system-run-command-execution"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32065","reference_id":"CVE-2026-32065","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32065"},{"reference_url":"https://github.com/advisories/GHSA-hwpq-rrpf-pgcq","reference_id":"GHSA-hwpq-rrpf-pgcq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hwpq-rrpf-pgcq"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hwpq-rrpf-pgcq","reference_id":"GHSA-hwpq-rrpf-pgcq","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-hwpq-rrpf-pgcq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["CVE-2026-32065","GHSA-hwpq-rrpf-pgcq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9rch-2vmz-ukgs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50594?format=json","vulnerability_id":"VCID-cc1w-ru55-57b3","summary":"OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains\nThis issue is a browser-origin WebSocket auth chain on local loopback deployments using password auth. It is serious, but conditional: an attacker must get the user to open a malicious page and then successfully guess the gateway password.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c736f11a16d6bc27ea62a0fe40fffae4cb071fdb","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/c736f11a16d6bc27ea62a0fe40fffae4cb071fdb"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-password-brute-force-via-browser-origin-websocket-authentication-bypass","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-password-brute-force-via-browser-origin-websocket-authentication-bypass"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32025","reference_id":"CVE-2026-32025","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32025"},{"reference_url":"https://github.com/advisories/GHSA-jmmg-jqc7-5qf4","reference_id":"GHSA-jmmg-jqc7-5qf4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jmmg-jqc7-5qf4"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jmmg-jqc7-5qf4","reference_id":"GHSA-jmmg-jqc7-5qf4","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-jmmg-jqc7-5qf4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["CVE-2026-32025","GHSA-jmmg-jqc7-5qf4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cc1w-ru55-57b3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50621?format=json","vulnerability_id":"VCID-hmr8-2n1d-syh3","summary":"OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host\nIn `openclaw@2026.2.24`, approval-bound `system.run` on node hosts could be influenced by mutable symlink `cwd` targets between approval and execution.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/f789f880c934caa8be25b38832f27f90f37903db","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/f789f880c934caa8be25b38832f27f90f37903db"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-via-mutable-symlink-in-system-run-cwd-parameter","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-via-mutable-symlink-in-system-run-cwd-parameter"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32043","reference_id":"CVE-2026-32043","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32043"},{"reference_url":"https://github.com/advisories/GHSA-mwcg-wfq3-4gjc","reference_id":"GHSA-mwcg-wfq3-4gjc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mwcg-wfq3-4gjc"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mwcg-wfq3-4gjc","reference_id":"GHSA-mwcg-wfq3-4gjc","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mwcg-wfq3-4gjc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["CVE-2026-32043","GHSA-mwcg-wfq3-4gjc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hmr8-2n1d-syh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50552?format=json","vulnerability_id":"VCID-jxv3-cdt9-wbdm","summary":"OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot\nA sandbox path validation bypass in `openclaw` allows host file reads outside `sandboxRoot` via the media path fallback tmp flow when the fallback tmp root is a symlink alias.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3"},{"reference_url":"https://github.com/advisories/GHSA-xmv6-r34m-62p4","reference_id":"GHSA-xmv6-r34m-62p4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xmv6-r34m-62p4"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4","reference_id":"GHSA-xmv6-r34m-62p4","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["GHSA-xmv6-r34m-62p4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jxv3-cdt9-wbdm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50543?format=json","vulnerability_id":"VCID-nuka-patj-5fc7","summary":"OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection\nA missing sender-authorization check in Telegram `message_reaction` handling allowed unauthorized users to trigger reaction-derived system events.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e56b0cf1a04f992ac6ebc775899f48ea31687640","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/e56b0cf1a04f992ac6ebc775899f48ea31687640"},{"reference_url":"https://github.com/advisories/GHSA-qj22-xqjr-v83v","reference_id":"GHSA-qj22-xqjr-v83v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qj22-xqjr-v83v"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v","reference_id":"GHSA-qj22-xqjr-v83v","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["GHSA-qj22-xqjr-v83v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nuka-patj-5fc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50564?format=json","vulnerability_id":"VCID-pgez-9z25-xqey","summary":"OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions\nA trusted-proxy Control UI pairing bypass accepted `client.id=control-ui` without device identity checks. The bypass did not require `operator` role, so an authenticated `node` role session could connect unpaired and reach node event methods.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ec45c317f5d0631a3d333b236da58c4749ede2a3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/ec45c317f5d0631a3d333b236da58c4749ede2a3"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-control-ui-client-id-parameter","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-control-ui-client-id-parameter"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32057","reference_id":"CVE-2026-32057","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32057"},{"reference_url":"https://github.com/advisories/GHSA-vvgp-4c28-m3jm","reference_id":"GHSA-vvgp-4c28-m3jm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vvgp-4c28-m3jm"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vvgp-4c28-m3jm","reference_id":"GHSA-vvgp-4c28-m3jm","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-vvgp-4c28-m3jm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["CVE-2026-32057","GHSA-vvgp-4c28-m3jm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pgez-9z25-xqey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50525?format=json","vulnerability_id":"VCID-s6fk-r5v7-x3ee","summary":"OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state\nThe affected surface is the OpenClaw macOS app onboarding flow, and the macOS app is currently in **beta**.\nIn that beta onboarding flow, Anthropic OAuth used the PKCE `code_verifier` value as OAuth `state`, exposing that secret in front-channel URL state.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8f3310000a8b0c11eced054c2cdb6fb27803511a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/8f3310000a8b0c11eced054c2cdb6fb27803511a"},{"reference_url":"https://github.com/advisories/GHSA-6g25-pc82-vfwp","reference_id":"GHSA-6g25-pc82-vfwp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6g25-pc82-vfwp"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp","reference_id":"GHSA-6g25-pc82-vfwp","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["GHSA-6g25-pc82-vfwp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s6fk-r5v7-x3ee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50689?format=json","vulnerability_id":"VCID-th8g-pprj-bqgw","summary":"OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations\nIn certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary.\n\nBy default, `tools.fs.workspaceOnly` is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only `apply_patch` checks).","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/04d91d0319b82fd4de91ed05e9fc5219ff2ab64e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/04d91d0319b82fd4de91ed05e9fc5219ff2ab64e"},{"reference_url":"https://github.com/advisories/GHSA-3jx4-q2m7-r496","reference_id":"GHSA-3jx4-q2m7-r496","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3jx4-q2m7-r496"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496","reference_id":"GHSA-3jx4-q2m7-r496","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3jx4-q2m7-r496"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["GHSA-3jx4-q2m7-r496"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-th8g-pprj-bqgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50634?format=json","vulnerability_id":"VCID-ukyb-zk5w-tkdc","summary":"OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks\nIn a narrow Signal reaction-notification path, reaction-only inbound events could enqueue a status event before sender access checks were applied.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/2aa7842adeedef423be7ce283a9144b9f1a0a669","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/2aa7842adeedef423be7ce283a9144b9f1a0a669"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-unauthorized-reaction-status-event-enqueue-via-access-check-bypass","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-unauthorized-reaction-status-event-enqueue-via-access-check-bypass"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32050","reference_id":"CVE-2026-32050","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32050"},{"reference_url":"https://github.com/advisories/GHSA-792q-qw95-f446","reference_id":"GHSA-792q-qw95-f446","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-792q-qw95-f446"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-792q-qw95-f446","reference_id":"GHSA-792q-qw95-f446","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-792q-qw95-f446"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["CVE-2026-32050","GHSA-792q-qw95-f446"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ukyb-zk5w-tkdc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50524?format=json","vulnerability_id":"VCID-vp66-1yq4-5qbm","summary":"OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption\nIn `openclaw` MS Teams file-consent flow, pending uploads were authorized by `uploadId` alone. `fileConsent/invoke` did not verify the invoke conversation against the conversation that created the pending upload.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/347f7b9550064f5f5b33c6e07f64e85b9657b6f1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/347f7b9550064f5f5b33c6e07f64e85b9657b6f1"},{"reference_url":"https://github.com/advisories/GHSA-j26j-7qc4-3mrf","reference_id":"GHSA-j26j-7qc4-3mrf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j26j-7qc4-3mrf"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf","reference_id":"GHSA-j26j-7qc4-3mrf","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-j26j-7qc4-3mrf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["GHSA-j26j-7qc4-3mrf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vp66-1yq4-5qbm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50558?format=json","vulnerability_id":"VCID-x6mf-dx99-vydn","summary":"OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress\nOpenClaw Slack monitor handled `reaction_*` and `pin_*` non-message events before applying sender-policy checks consistently.\n\nIn affected versions, these events could be added to system-event context even when sender policy would not normally allow them.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/75dfb71e4e8b7c2feba5a8ca662f92ea840e0147","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/75dfb71e4e8b7c2feba5a8ca662f92ea840e0147"},{"reference_url":"https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-sender-policy-bypass-in-slack-reaction-and-pin-event-handlers","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-sender-policy-bypass-in-slack-reaction-and-pin-event-handlers"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32899","reference_id":"CVE-2026-32899","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32899"},{"reference_url":"https://github.com/advisories/GHSA-rm2p-j3r7-4x4j","reference_id":"GHSA-rm2p-j3r7-4x4j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rm2p-j3r7-4x4j"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rm2p-j3r7-4x4j","reference_id":"GHSA-rm2p-j3r7-4x4j","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rm2p-j3r7-4x4j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["CVE-2026-32899","GHSA-rm2p-j3r7-4x4j"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x6mf-dx99-vydn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50679?format=json","vulnerability_id":"VCID-xx3p-8f8z-6fcx","summary":"OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows\nIn shared Slack workspace deployments that rely on sender restrictions (`allowFrom`, DM policy, or channel user allowlists), some interactive callbacks (`block_action`, `view_submission`, `view_closed`) could be accepted before full sender authorization checks.\n\nIn that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/ce8c67c314b93f570f53c2a9abc124e1e3a54715","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/ce8c67c314b93f570f53c2a9abc124e1e3a54715"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-interactive-callbacks-via-sender-check-skip","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-interactive-callbacks-via-sender-check-skip"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32005","reference_id":"CVE-2026-32005","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32005"},{"reference_url":"https://github.com/advisories/GHSA-x2ff-j5c2-ggpr","reference_id":"GHSA-x2ff-j5c2-ggpr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x2ff-j5c2-ggpr"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x2ff-j5c2-ggpr","reference_id":"GHSA-x2ff-j5c2-ggpr","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-x2ff-j5c2-ggpr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["CVE-2026-32005","GHSA-x2ff-j5c2-ggpr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xx3p-8f8z-6fcx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50602?format=json","vulnerability_id":"VCID-yx4j-34ty-4udn","summary":"OpenClaw has a IPv6 multicast SSRF classifier bypass\nOpenClaw's SSRF IP classifier did not treat IPv6 multicast literals (`ff00::/8`) as blocked/private-internal. This allowed literal multicast hosts to pass SSRF preflight checks.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/baf656bc6fd7f83b6033e6dbc2548ec75028641f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/baf656bc6fd7f83b6033e6dbc2548ec75028641f"},{"reference_url":"https://github.com/advisories/GHSA-h97f-6pqj-q452","reference_id":"GHSA-h97f-6pqj-q452","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h97f-6pqj-q452"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452","reference_id":"GHSA-h97f-6pqj-q452","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h97f-6pqj-q452"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["GHSA-h97f-6pqj-q452"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yx4j-34ty-4udn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50630?format=json","vulnerability_id":"VCID-zkrk-yqcx-dkdb","summary":"OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth\nA client using shared gateway auth could attach an unpaired device identity and request elevated operator scopes (including `operator.admin`) before pairing approval, enabling privilege escalation.","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/8d1481cb4a9d31bd617e52dc8c392c35689d9dea","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/commit/8d1481cb4a9d31bd617e52dc8c392c35689d9dea"},{"reference_url":"https://github.com/advisories/GHSA-553v-f69r-656j","reference_id":"GHSA-553v-f69r-656j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-553v-f69r-656j"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j","reference_id":"GHSA-553v-f69r-656j","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74377?format=json","purl":"pkg:npm/openclaw@2026.2.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}],"aliases":["GHSA-553v-f69r-656j"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zkrk-yqcx-dkdb"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.25"}