From 2d17e893e01462107c595c5cec1831bef64165c1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 12 Jun 2026 07:34:42 +0000 Subject: [PATCH] chore: update NVD/GHSA advisories - 14 NVD new, 0 NVD updated Automated update from NVD CVE and GHSA advisory feeds. Keywords: openclaw, nanoclaw, hermes, picoclaw Poll window: 2026-06-10T08:30:16Z to 2026-06-12T07:33:23.000Z --- advisories/feed.json | 1107 ++++++++---------- advisories/feed.json.sig | 2 +- advisories/ghsa-without-cve.json | 198 ++-- advisories/ghsa-without-cve.json.sig | 2 +- skills/clawsec-feed/advisories/feed.json | 1107 ++++++++---------- skills/clawsec-feed/advisories/feed.json.sig | 2 +- 6 files changed, 1070 insertions(+), 1348 deletions(-) diff --git a/advisories/feed.json b/advisories/feed.json index 2aa9f68..11c75f3 100644 --- a/advisories/feed.json +++ b/advisories/feed.json @@ -1,8 +1,484 @@ { "version": "0.0.3", - "updated": "2026-06-10T08:30:16Z", + "updated": "2026-06-12T07:34:34Z", "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.", "advisories": [ + { + "id": "CVE-2026-53819", + "severity": "high", + "type": "unknown_cwe_426", + "nvd_category_id": "CWE-426", + "title": "OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows ...", + "description": "OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setup to compromise the system.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:24.227", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8", + "https://www.vulncheck.com/advisories/openclaw-arbitrary-homebrew-executable-execution-via-workspace-env-override" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53819", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": false, + "requires_user_interaction": true, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53818", + "severity": "medium", + "type": "missing_authorization", + "nvd_category_id": "CWE-862", + "title": "OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature...", + "description": "OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:24.090", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h", + "https://www.vulncheck.com/advisories/openclaw-owner-only-tool-policy-bypass-via-mcp-loopback" + ], + "cvss_score": 6.6, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53818", + "exploitability_score": "medium", + "exploitability_rationale": "Medium CVSS score (6.6); requires local access", + "attack_vector_analysis": { + "is_network_accessible": false, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53817", + "severity": "high", + "type": "unknown_cwe_290", + "nvd_category_id": "CWE-290", + "title": "OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that al...", + "description": "OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.960", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw", + "https://www.vulncheck.com/advisories/openclaw-control-ui-locality-spoofing-in-device-pairing" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53817", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53816", + "severity": "high", + "type": "missing_authorization", + "nvd_category_id": "CWE-862", + "title": "OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event...", + "description": "OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway, steering target sessions into exec-event paths that expose capabilities the reduced node surface should not provide.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.830", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4", + "https://www.vulncheck.com/advisories/openclaw-exec-lifecycle-event-forgery-via-paired-node" + ], + "cvss_score": 7.2, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53816", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (7.2); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53815", + "severity": "medium", + "type": "missing_authorization", + "nvd_category_id": "CWE-862", + "title": "OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions tha...", + "description": "OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature, potentially exposing sensitive channel messages.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.697", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r", + "https://www.vulncheck.com/advisories/openclaw-channel-allowlist-bypass-in-message-read-actions" + ], + "cvss_score": 6.5, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53815", + "exploitability_score": "medium", + "exploitability_rationale": "Medium CVSS score (6.5); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53814", + "severity": "high", + "type": "unknown_cwe_266", + "nvd_category_id": "CWE-266", + "title": "OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent r...", + "description": "OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access or invoke owner-only MCP tools, potentially executing privileged actions like persistent cron state modifications.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.570", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4", + "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-hook-triggered-cli-mcp-tool-authority" + ], + "cvss_score": 8.3, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53814", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.3); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53813", + "severity": "high", + "type": "unknown_cwe_427", + "nvd_category_id": "CWE-427", + "title": "OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading wh...", + "description": "OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected workspaces can load memory-core artifacts from unintended local locations, potentially executing malicious code or accessing sensitive data.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.440", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976", + "https://www.vulncheck.com/advisories/openclaw-arbitrary-artifact-loading-via-fake-package-root-resolution" + ], + "cvss_score": 7.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53813", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (7.8); requires local access; path traversal affects agents with file access", + "attack_vector_analysis": { + "is_network_accessible": false, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53812", + "severity": "high", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control th...", + "description": "OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. Attackers can trigger navigation to private-network targets via action-triggered redirects and subsequently read restricted page content using browser evaluation capabilities.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.303", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f", + "https://www.vulncheck.com/advisories/openclaw-private-network-navigation-bypass-via-browser-act-interactions" + ], + "cvss_score": 7.7, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53812", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (7.7); network accessible; SSRF affects agents making external requests", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53811", + "severity": "high", + "type": "unknown_cwe_290", + "nvd_category_id": "CWE-290", + "title": "OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom featu...", + "description": "OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another Matrix identity, potentially gaining unauthorized permissions depending on operator configuration.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.167", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6", + "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-mutable-display-names-in-matrix-allowfrom" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53811", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53810", + "severity": "high", + "type": "unknown_cwe_829", + "nvd_category_id": "CWE-829", + "title": "OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extensio...", + "description": "OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin code outside reviewed package entry points, bypassing security scanning.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.030", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w", + "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unscanned-marketplace-runtime-extension-metadata" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53810", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": false, + "requires_user_interaction": true, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53809", + "severity": "low", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allo...", + "description": "OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identities. Attackers can exploit this confusion to select bundled tool access outside intended provider policy restrictions when the affected feature is enabled.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:22.857", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m", + "https://www.vulncheck.com/advisories/openclaw-provider-alias-confusion-in-embedded-runner-policy" + ], + "cvss_score": 3.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53809", + "exploitability_score": "low", + "exploitability_rationale": "Low CVSS score (3.8); requires local access", + "attack_vector_analysis": { + "is_network_accessible": false, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53808", + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop appl...", + "description": "OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before the expected approval step, potentially modifying configurations without proper authorization.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:22.717", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2", + "https://www.vulncheck.com/advisories/openclaw-approval-policy-bypass-in-skill-workshop-apply-flow" + ], + "cvss_score": 6.5, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53808", + "exploitability_score": "medium", + "exploitability_rationale": "Medium CVSS score (6.5); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": false, + "requires_user_interaction": true, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53807", + "severity": "high", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive call...", + "description": "OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:22.580", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq", + "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-telegram-interactive-callbacks-via-commands-allowfrom" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53807", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53806", + "severity": "high", + "type": "unknown_cwe_367", + "nvd_category_id": "CWE-367", + "title": "OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX s...", + "description": "OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX shell flags to bypass exec revalidation checks. Attackers can exploit this by using combined shell options to execute inline shell content without intended allowlist validation, potentially enabling unauthorized command execution when the affected feature is enabled.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:22.443", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3", + "https://www.vulncheck.com/advisories/openclaw-shell-option-parsing-bypass-in-exec-revalidation" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53806", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, { "id": "CVE-2026-11461", "severity": "medium", @@ -500,52 +976,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-rj6p-xmxr-qj4h", - "ghsa_id": "GHSA-rj6p-xmxr-qj4h", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "missing_authorization", - "nvd_category_id": "CWE-862", - "title": "MCP loopback could skip owner-only tool policy for non-owner callers", - "description": "Summary MCP loopback could skip owner-only tool policy for non-owner callers. In affected versions, a non-owner caller reaching the affected loopback path could skip owner-only tool policy and before-tool-call hooks. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could invoke owner-only behavior through that loopback path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Resolution Update to a patched OpenClaw release when one is listed for this advisory. If the Patched versions field is populated, use that version or later. Mitigations restrict MCP loopback access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<2026.4.24" - ], - "patched": [ - "openclaw@2026.4.24" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:40:09Z", - "updated": "2026-05-28T17:40:10Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h", - "nvd_url": null, - "cvss_score": 6.6, - "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", - "cwe_ids": [ - "CWE-862" - ], - "credits": [ - "zsxsoft", - "KeenSecurityLab", - "qclawer" - ], - "aliases": [ - "GHSA-rj6p-xmxr-qj4h" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-4m3v-q747-pc6h", "ghsa_id": "GHSA-4m3v-q747-pc6h", @@ -632,50 +1062,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-p39j-x9h5-q66m", - "ghsa_id": "GHSA-p39j-x9h5-q66m", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": null, - "title": "Embedded runner policy could be confused by provider aliases", - "description": "Summary Embedded runner policy could be confused by provider aliases. In affected versions, a request using provider aliases could compare policy against an alias instead of the canonical provider identity. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could select bundled tool access outside the intended provider policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations avoid provider alias routing for embedded runner tool policy until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<=2026.4.24" - ], - "patched": [ - "openclaw@2026.4.25" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:40:05Z", - "updated": "2026-05-28T17:40:05Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [], - "credits": [ - "zsxsoft", - "KeenSecurityLab", - "qclawer" - ], - "aliases": [ - "GHSA-p39j-x9h5-q66m" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-mpc8-jxjh-qpgh", "ghsa_id": "GHSA-mpc8-jxjh-qpgh", @@ -934,48 +1320,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-v8cx-933x-r976", - "ghsa_id": "GHSA-v8cx-933x-r976", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": null, - "title": "Fake package roots could influence memory-core artifact loading", - "description": "Summary Fake package roots could influence memory-core artifact loading. In affected versions, a local package root resolution path influenced by workspace state could select a package root that was not the intended bundled artifact root. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could load memory-core artifacts from an unintended local location. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations run memory-core flows from trusted workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<=2026.4.24" - ], - "patched": [ - "openclaw@2026.4.25" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:56Z", - "updated": "2026-05-28T17:39:56Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [], - "credits": [ - "feynman-hou" - ], - "aliases": [ - "GHSA-v8cx-933x-r976" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-wc84-j36w-pw4x", "ghsa_id": "GHSA-wc84-j36w-pw4x", @@ -1060,48 +1404,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-8wg3-5mcm-fjq8", - "ghsa_id": "GHSA-8wg3-5mcm-fjq8", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": null, - "title": "Workspace .env could override Homebrew executable selection for skill install flows", - "description": "Summary Workspace .env could override Homebrew executable selection for skill install flows. In affected versions, a workspace .env in a repository opened by a trusted operator could override the Homebrew executable used by the install helper. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run an unintended Homebrew-compatible executable during skill setup. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.27. Mitigations avoid running skill install flows from untrusted workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@< 2026.5.27" - ], - "patched": [ - "openclaw@2026.5.27" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:53Z", - "updated": "2026-05-28T17:39:53Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [], - "credits": [ - "feynman-hou" - ], - "aliases": [ - "GHSA-8wg3-5mcm-fjq8" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-77pv-3w4q-vrj5", "ghsa_id": "GHSA-77pv-3w4q-vrj5", @@ -1629,50 +1931,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-cqwv-9qjx-vxw2", - "ghsa_id": "GHSA-cqwv-9qjx-vxw2", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": null, - "title": "Skill Workshop apply flow could override pending approval", - "description": "Summary Skill Workshop apply flow could override pending approval. In affected versions, an agent tool call reaching the affected Skill Workshop apply path could set apply: true despite approvalPolicy: pending. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could apply a workshop change before the expected approval step. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations review Skill Workshop changes manually and keep the tool restricted until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<=2026.5.5" - ], - "patched": [ - "openclaw@2026.5.6" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:35Z", - "updated": "2026-05-28T17:39:35Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2", - "nvd_url": null, - "cvss_score": 5.3, - "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", - "cwe_ids": [], - "credits": [ - "zsxsoft", - "KeenSecurityLab", - "qclawer" - ], - "aliases": [ - "GHSA-cqwv-9qjx-vxw2" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-68xw-r643-9p5w", "ghsa_id": "GHSA-68xw-r643-9p5w", @@ -1761,50 +2019,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-w5ww-7chg-mxcq", - "ghsa_id": "GHSA-w5ww-7chg-mxcq", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": null, - "title": "Telegram interactive callbacks could skip commands.allowFrom", - "description": "Summary Telegram interactive callbacks could skip commands.allowFrom. In affected versions, a Telegram user able to invoke an affected callback could mark the callback as an authorized sender before applying commands.allowFrom. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could trigger command behavior outside the configured Telegram sender allowlist. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations restrict Telegram command callbacks to trusted chats until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<=2026.5.5" - ], - "patched": [ - "openclaw@2026.5.6" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:32Z", - "updated": "2026-05-28T17:39:32Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [], - "credits": [ - "zsxsoft", - "KeenSecurityLab", - "qclawer" - ], - "aliases": [ - "GHSA-w5ww-7chg-mxcq" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-p73f-w79w-jqr5", "ghsa_id": "GHSA-p73f-w79w-jqr5", @@ -1849,50 +2063,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-7hxm-f538-3xp6", - "ghsa_id": "GHSA-7hxm-f538-3xp6", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": "CWE-290", - "title": "Matrix allowFrom could bind to mutable display names", - "description": "Summary Matrix allowFrom could bind to mutable display names. In affected versions, a Matrix account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent access intended for another Matrix identity. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.7. Mitigations use stable Matrix user IDs in allowlists until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<= 2026.5.6" - ], - "patched": [ - "openclaw@2026.5.7" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:30Z", - "updated": "2026-05-28T17:39:30Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [ - "CWE-290" - ], - "credits": [ - "PhilipPhil" - ], - "aliases": [ - "GHSA-7hxm-f538-3xp6" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-cw4q-gqg5-g38h", "ghsa_id": "GHSA-cw4q-gqg5-g38h", @@ -2377,53 +2547,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-chr9-m4q2-76hw", - "ghsa_id": "GHSA-chr9-m4q2-76hw", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "high", - "type": "improper_access_control", - "nvd_category_id": "CWE-284", - "title": "Control UI locality spoofing could mint a durable admin device token", - "description": "Summary In affected LAN/shared-token Control UI deployments, a caller could spoof locality information used during Control UI pairing and obtain a durable admin-capable device token. This issue is limited to deployments where the caller already has the network/authentication foothold needed to reach the Control UI pairing path. It is not an unauthenticated internet exposure issue. Affected configurations This affects configurations such as LAN-bound gateways or shared-token Control UI access where locality signals were accepted as sufficient for pairing decisions. Impact A temporary or shared Control UI access path could be turned into a persistent admin device token. That token could remain useful after the shared gateway token was rotated, unless the paired device was removed. The issue is a pairing/locality validation problem: locality-derived trust was stronger than it should have been. Patched Versions The first stable patched version is 2026.5.22. Mitigations Upgrade to openclaw@2026.5.22 or later. For older deployments, remove unexpected paired devices and avoid exposing Control UI pairing paths on networks with untrusted clients.", - "affected": [ - "openclaw@< 2026.5.22" - ], - "patched": [ - "openclaw@2026.5.22" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:12Z", - "updated": "2026-05-28T17:39:12Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw", - "nvd_url": null, - "cvss_score": 8, - "cvss_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "cwe_ids": [ - "CWE-284", - "CWE-287", - "CWE-290", - "CWE-863" - ], - "credits": [ - "cantinagen" - ], - "aliases": [ - "GHSA-chr9-m4q2-76hw" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-rggc-m335-3wvj", "ghsa_id": "GHSA-rggc-m335-3wvj", @@ -2473,52 +2596,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-6fvr-66p3-3qj4", - "ghsa_id": "GHSA-6fvr-66p3-3qj4", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "high", - "type": "exposure_of_sensitive_information", - "nvd_category_id": "CWE-200", - "title": "Hook-triggered CLI runs could receive owner MCP tool authority", - "description": "Summary OpenClaw hook ingress can start automated agent runs using a configured hook token. In affected releases, a hook-triggered run could select a bundled CLI backend that received owner-scoped MCP loopback authority instead of a scope appropriate for hook ingress. This issue affects the boundary between hook-token automation and owner-only MCP tools. It does not affect deployments with hooks disabled. Affected configurations This affects deployments where hooks are enabled, /hooks/agent is reachable with a valid hook token, and a bundled CLI backend can be selected for the hook-triggered run. Impact A caller with the hook token could cause the spawned CLI runtime to see or call MCP tools that should have been owner-only. The practical impact depends on which MCP tools are available; the reported proof used persistent cron state as a representative owner-only action. Patched Versions The first stable patched version is 2026.5.20. Fixed in the 2026.5.20 stable release. Mitigations Upgrade to openclaw@2026.5.20 or later. Keep hook tokens secret, restrict network access to hook endpoints, and disable hooks when they are not needed.", - "affected": [ - "openclaw@< 2026.5.20" - ], - "patched": [ - "openclaw@2026.5.20" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:09Z", - "updated": "2026-05-28T17:39:09Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4", - "nvd_url": null, - "cvss_score": 8.4, - "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", - "cwe_ids": [ - "CWE-200", - "CWE-284" - ], - "credits": [ - "cantinagen", - "Ellahinator" - ], - "aliases": [ - "GHSA-6fvr-66p3-3qj4" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-q99w-vh6v-q3v7", "ghsa_id": "GHSA-q99w-vh6v-q3v7", @@ -2565,146 +2642,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-3c6j-hq33-3jv4", - "ghsa_id": "GHSA-3c6j-hq33-3jv4", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "high", - "type": "improper_access_control", - "nvd_category_id": "CWE-284", - "title": "Paired nodes could forge exec lifecycle events without system.run provenance", - "description": "Summary OpenClaw nodes send lifecycle events back to the gateway. In affected releases, a paired node could send an exec lifecycle event that was accepted without enough provenance tying it to an authorized system.run request. This issue affects the node event boundary. It does not allow an unauthenticated caller to reach the gateway; the attacker must already control a paired node connection. Affected configurations This affects deployments with a paired node where that node can send crafted node.event messages to the gateway and the target agent/session can process exec lifecycle events. Impact A malicious or compromised paired node could make the gateway treat attacker-supplied event data as an exec lifecycle result. In the vulnerable flow, that could steer the target session into an exec-event path that exposed capabilities the reduced node surface should not have provided. The issue is a missing provenance check for node-originated lifecycle events. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Pair nodes only from trusted environments, and remove/re-pair nodes that may have been compromised.", - "affected": [ - "openclaw@< 2026.5.18" - ], - "patched": [ - "openclaw@2026.5.18" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:06Z", - "updated": "2026-05-28T17:39:06Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4", - "nvd_url": null, - "cvss_score": 7.2, - "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "cwe_ids": [ - "CWE-284", - "CWE-863" - ], - "credits": [ - "cantinagen", - "Ellahinator" - ], - "aliases": [ - "GHSA-3c6j-hq33-3jv4" - ], - "source_feed": "ghsa-without-cve" - }, - { - "id": "GHSA-2hfg-4fh4-qp7f", - "ghsa_id": "GHSA-2hfg-4fh4-qp7f", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "high", - "type": "improper_access_control", - "nvd_category_id": "CWE-284", - "title": "Browser act interactions could bypass private-network navigation checks", - "description": "Summary OpenClaw's browser control SSRF checks blocked direct navigation to private or loopback URLs, but some Playwright act interactions could trigger navigation after the initial check. A later browser evaluation could then read from the page reached by that action-triggered navigation. This issue is specific to browser control actions and private-network navigation policy. Browser evaluation remains an intentional trusted-operator feature when it is used on pages that policy allowed the browser to visit. Affected configurations This affects deployments where browser control is enabled and an authenticated browser-control caller can interact with an attacker-controlled page that redirects or navigates the tab to a private-network target through a UI action. Impact If the browser reached a private page through an unchecked action-triggered navigation, a caller with browser evaluation capability could read page content that direct navigation policy would have blocked. The issue does not grant access to OpenClaw without authentication. It bypasses the private-network navigation guard for a specific browser action path. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Before upgrading, restrict browser-control access to trusted operators and avoid using browser control on untrusted pages in environments with sensitive private web services.", - "affected": [ - "openclaw@< 2026.5.18" - ], - "patched": [ - "openclaw@2026.5.18" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:04Z", - "updated": "2026-05-28T17:39:04Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f", - "nvd_url": null, - "cvss_score": 7.7, - "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", - "cwe_ids": [ - "CWE-284", - "CWE-918" - ], - "credits": [ - "cantinagen", - "Ellahinator" - ], - "aliases": [ - "GHSA-2hfg-4fh4-qp7f" - ], - "source_feed": "ghsa-without-cve" - }, - { - "id": "GHSA-v6r2-jh58-xx6w", - "ghsa_id": "GHSA-v6r2-jh58-xx6w", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "os_command_injection", - "nvd_category_id": "CWE-78", - "title": "Marketplace runtime extension metadata could point at unscanned payloads", - "description": "Summary Marketplace runtime extension metadata could point at unscanned payloads. In affected versions, a package selected for installation by a trusted operator could redirect runtime loading toward hidden package content that was not scanned as expected. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could load plugin code outside the reviewed package entry points. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.18. Mitigations install only trusted plugins and keep plugin allowlists explicit until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@< 2026.5.18" - ], - "patched": [ - "openclaw@2026.5.18" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:03Z", - "updated": "2026-05-28T17:39:03Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [ - "CWE-78", - "CWE-94", - "CWE-284", - "CWE-829" - ], - "credits": [ - "cantinagen", - "Ellahinator" - ], - "aliases": [ - "GHSA-v6r2-jh58-xx6w" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-mhq8-78pj-5j79", "ghsa_id": "GHSA-mhq8-78pj-5j79", @@ -2892,50 +2829,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-vxx3-6hc9-7cc3", - "ghsa_id": "GHSA-vxx3-6hc9-7cc3", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": "CWE-367", - "title": "Combined POSIX shell options could confuse exec revalidation", - "description": "Summary Combined POSIX shell options could confuse exec revalidation. In affected versions, a command request using combined shell flags could parse approval-time and execution-time shell options differently. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run inline shell content without the intended allowlist decision. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations avoid combined shell option forms in allowlisted commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<= 2026.5.7" - ], - "patched": [ - "openclaw@2026.5.12" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:38:54Z", - "updated": "2026-05-28T17:38:54Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [ - "CWE-367" - ], - "credits": [ - "YLChen-007" - ], - "aliases": [ - "GHSA-vxx3-6hc9-7cc3" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-2j8v-hwgc-x698", "ghsa_id": "GHSA-2j8v-hwgc-x698", @@ -2978,52 +2871,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-q7q8-3mgw-q67r", - "ghsa_id": "GHSA-q7q8-3mgw-q67r", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "exposure_of_sensitive_information", - "nvd_category_id": "CWE-200", - "title": "Message read actions could skip channel allowlist checks", - "description": "Summary Message read actions could skip channel allowlist checks. In affected versions, a lower-trust caller with access to the affected message read action could request messages without the same channel allowlist check used by normal delivery. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could expose messages from a channel that was not intended for that caller. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.19. Mitigations limit message read actions to trusted operators and keep channel allowlists narrow. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<= 2026.5.18", - "openclaw@<= 2026.5.19-beta.2" - ], - "patched": [ - "openclaw@2026.5.19" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:38:50Z", - "updated": "2026-05-28T17:38:50Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [ - "CWE-200", - "CWE-862" - ], - "credits": [ - "samchodev" - ], - "aliases": [ - "GHSA-q7q8-3mgw-q67r" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-gxg4-2rrr-jhc7", "ghsa_id": "GHSA-gxg4-2rrr-jhc7", diff --git a/advisories/feed.json.sig b/advisories/feed.json.sig index 22125cb..72d39ae 100644 --- a/advisories/feed.json.sig +++ b/advisories/feed.json.sig @@ -1 +1 @@ -agiAAFvzM1vNHxH2+bGtyeKqFScLWJHnNreBcPpTODUqD0xqFi0cnyP/ZaZX+Rsw1Y9uZ7pGdFdA93pD4lh2BQ== \ No newline at end of file +1mDO2Dzr9LmliE5Gg9mthOpIqx+OuxifLV4BN167XvG9ATyyrBn9N4FwImv396EQpD83MZGO9VzxCPcYYwpuDg== \ No newline at end of file diff --git a/advisories/ghsa-without-cve.json b/advisories/ghsa-without-cve.json index 2c73dc6..d7d74f3 100644 --- a/advisories/ghsa-without-cve.json +++ b/advisories/ghsa-without-cve.json @@ -1,6 +1,6 @@ { "version": "0.1.0", - "updated": "2026-06-10T08:30:16Z", + "updated": "2026-06-12T07:34:36Z", "description": "Provisional ClawSec advisory feed for public GitHub Security Advisories that do not yet have CVE identifiers.", "stale_after_days": 60, "semantics": { @@ -80,8 +80,8 @@ { "id": "GHSA-rj6p-xmxr-qj4h", "ghsa_id": "GHSA-rj6p-xmxr-qj4h", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53818", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "medium", @@ -98,16 +98,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53818 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:40:09Z", "updated": "2026-05-28T17:40:10Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53818" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53818", "cvss_score": 6.6, "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "cwe_ids": [ @@ -119,7 +120,8 @@ "qclawer" ], "aliases": [ - "GHSA-rj6p-xmxr-qj4h" + "GHSA-rj6p-xmxr-qj4h", + "CVE-2026-53818" ] }, { @@ -209,8 +211,8 @@ { "id": "GHSA-p39j-x9h5-q66m", "ghsa_id": "GHSA-p39j-x9h5-q66m", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53809", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "medium", @@ -227,16 +229,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53809 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:40:05Z", "updated": "2026-05-28T17:40:05Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53809" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53809", "cvss_score": null, "cvss_vector": null, "cwe_ids": [], @@ -246,7 +249,8 @@ "qclawer" ], "aliases": [ - "GHSA-p39j-x9h5-q66m" + "GHSA-p39j-x9h5-q66m", + "CVE-2026-53809" ] }, { @@ -504,8 +508,8 @@ { "id": "GHSA-v8cx-933x-r976", "ghsa_id": "GHSA-v8cx-933x-r976", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53813", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "medium", @@ -522,16 +526,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53813 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:39:56Z", "updated": "2026-05-28T17:39:56Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53813" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53813", "cvss_score": null, "cvss_vector": null, "cwe_ids": [], @@ -539,7 +544,8 @@ "feynman-hou" ], "aliases": [ - "GHSA-v8cx-933x-r976" + "GHSA-v8cx-933x-r976", + "CVE-2026-53813" ] }, { @@ -627,8 +633,8 @@ { "id": "GHSA-8wg3-5mcm-fjq8", "ghsa_id": "GHSA-8wg3-5mcm-fjq8", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53819", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "medium", @@ -645,16 +651,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53819 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:39:53Z", "updated": "2026-05-28T17:39:53Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53819" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53819", "cvss_score": null, "cvss_vector": null, "cwe_ids": [], @@ -662,7 +669,8 @@ "feynman-hou" ], "aliases": [ - "GHSA-8wg3-5mcm-fjq8" + "GHSA-8wg3-5mcm-fjq8", + "CVE-2026-53819" ] }, { @@ -1183,8 +1191,8 @@ { "id": "GHSA-cqwv-9qjx-vxw2", "ghsa_id": "GHSA-cqwv-9qjx-vxw2", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53808", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "medium", @@ -1201,16 +1209,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53808 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:39:35Z", "updated": "2026-05-28T17:39:35Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53808" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53808", "cvss_score": 5.3, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "cwe_ids": [], @@ -1220,7 +1229,8 @@ "qclawer" ], "aliases": [ - "GHSA-cqwv-9qjx-vxw2" + "GHSA-cqwv-9qjx-vxw2", + "CVE-2026-53808" ] }, { @@ -1312,8 +1322,8 @@ { "id": "GHSA-w5ww-7chg-mxcq", "ghsa_id": "GHSA-w5ww-7chg-mxcq", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53807", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "medium", @@ -1330,16 +1340,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53807 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:39:32Z", "updated": "2026-05-28T17:39:32Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53807" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53807", "cvss_score": null, "cvss_vector": null, "cwe_ids": [], @@ -1349,7 +1360,8 @@ "qclawer" ], "aliases": [ - "GHSA-w5ww-7chg-mxcq" + "GHSA-w5ww-7chg-mxcq", + "CVE-2026-53807" ] }, { @@ -1398,8 +1410,8 @@ { "id": "GHSA-7hxm-f538-3xp6", "ghsa_id": "GHSA-7hxm-f538-3xp6", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53811", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "medium", @@ -1416,16 +1428,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53811 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:39:30Z", "updated": "2026-05-28T17:39:30Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53811" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53811", "cvss_score": null, "cvss_vector": null, "cwe_ids": [ @@ -1435,7 +1448,8 @@ "PhilipPhil" ], "aliases": [ - "GHSA-7hxm-f538-3xp6" + "GHSA-7hxm-f538-3xp6", + "CVE-2026-53811" ] }, { @@ -1914,8 +1928,8 @@ { "id": "GHSA-chr9-m4q2-76hw", "ghsa_id": "GHSA-chr9-m4q2-76hw", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53817", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "high", @@ -1932,16 +1946,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53817 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:39:12Z", "updated": "2026-05-28T17:39:12Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53817" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53817", "cvss_score": 8, "cvss_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ @@ -1954,7 +1969,8 @@ "cantinagen" ], "aliases": [ - "GHSA-chr9-m4q2-76hw" + "GHSA-chr9-m4q2-76hw", + "CVE-2026-53817" ] }, { @@ -2008,8 +2024,8 @@ { "id": "GHSA-6fvr-66p3-3qj4", "ghsa_id": "GHSA-6fvr-66p3-3qj4", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53814", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "high", @@ -2026,16 +2042,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53814 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:39:09Z", "updated": "2026-05-28T17:39:09Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53814" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53814", "cvss_score": 8.4, "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", "cwe_ids": [ @@ -2047,7 +2064,8 @@ "Ellahinator" ], "aliases": [ - "GHSA-6fvr-66p3-3qj4" + "GHSA-6fvr-66p3-3qj4", + "CVE-2026-53814" ] }, { @@ -2098,8 +2116,8 @@ { "id": "GHSA-3c6j-hq33-3jv4", "ghsa_id": "GHSA-3c6j-hq33-3jv4", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53816", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "high", @@ -2116,16 +2134,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53816 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:39:06Z", "updated": "2026-05-28T17:39:06Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53816" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53816", "cvss_score": 7.2, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ @@ -2137,14 +2156,15 @@ "Ellahinator" ], "aliases": [ - "GHSA-3c6j-hq33-3jv4" + "GHSA-3c6j-hq33-3jv4", + "CVE-2026-53816" ] }, { "id": "GHSA-2hfg-4fh4-qp7f", "ghsa_id": "GHSA-2hfg-4fh4-qp7f", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53812", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "high", @@ -2161,16 +2181,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53812 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:39:04Z", "updated": "2026-05-28T17:39:04Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53812" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53812", "cvss_score": 7.7, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "cwe_ids": [ @@ -2182,14 +2203,15 @@ "Ellahinator" ], "aliases": [ - "GHSA-2hfg-4fh4-qp7f" + "GHSA-2hfg-4fh4-qp7f", + "CVE-2026-53812" ] }, { "id": "GHSA-v6r2-jh58-xx6w", "ghsa_id": "GHSA-v6r2-jh58-xx6w", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53810", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "medium", @@ -2206,16 +2228,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53810 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:39:03Z", "updated": "2026-05-28T17:39:03Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53810" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53810", "cvss_score": null, "cvss_vector": null, "cwe_ids": [ @@ -2229,7 +2252,8 @@ "Ellahinator" ], "aliases": [ - "GHSA-v6r2-jh58-xx6w" + "GHSA-v6r2-jh58-xx6w", + "CVE-2026-53810" ] }, { @@ -2418,8 +2442,8 @@ { "id": "GHSA-vxx3-6hc9-7cc3", "ghsa_id": "GHSA-vxx3-6hc9-7cc3", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53806", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "medium", @@ -2436,16 +2460,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53806 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:38:54Z", "updated": "2026-05-28T17:38:54Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53806" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53806", "cvss_score": null, "cvss_vector": null, "cwe_ids": [ @@ -2455,7 +2480,8 @@ "YLChen-007" ], "aliases": [ - "GHSA-vxx3-6hc9-7cc3" + "GHSA-vxx3-6hc9-7cc3", + "CVE-2026-53806" ] }, { @@ -2502,8 +2528,8 @@ { "id": "GHSA-q7q8-3mgw-q67r", "ghsa_id": "GHSA-q7q8-3mgw-q67r", - "cve_id": null, - "status": "active", + "cve_id": "CVE-2026-53815", + "status": "matured", "stale": false, "stale_after_days": 60, "severity": "medium", @@ -2521,16 +2547,17 @@ "platforms": [ "openclaw" ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", + "action": "Track CVE-2026-53815 in the canonical CVE advisory feed and verify affected components.", "published": "2026-05-28T17:38:50Z", "updated": "2026-05-28T17:38:50Z", "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r" + "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r", + "https://nvd.nist.gov/vuln/detail/CVE-2026-53815" ], "source": "GitHub Security Advisory", "repository": "openclaw/openclaw", "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r", - "nvd_url": null, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53815", "cvss_score": null, "cvss_vector": null, "cwe_ids": [ @@ -2541,7 +2568,8 @@ "samchodev" ], "aliases": [ - "GHSA-q7q8-3mgw-q67r" + "GHSA-q7q8-3mgw-q67r", + "CVE-2026-53815" ] }, { diff --git a/advisories/ghsa-without-cve.json.sig b/advisories/ghsa-without-cve.json.sig index 30f8b37..8f1c4d1 100644 --- a/advisories/ghsa-without-cve.json.sig +++ b/advisories/ghsa-without-cve.json.sig @@ -1 +1 @@ -q1EyZ75QcdG2X6FVDkUoAyBtQE3ONA+7k9cmNFmXFgOOuGRPOpSDFUtbSvy86HPqnii26DMoeFJ1hatWJ0lBCQ== \ No newline at end of file +0T+CmosXcbwSSDe75ATSwmuXTVT1jjCGQ/F6ZkmMgdp8OvJ2it87E96QHFO2iy6swvJdCsHUMXSFkcjb5Ij5DA== \ No newline at end of file diff --git a/skills/clawsec-feed/advisories/feed.json b/skills/clawsec-feed/advisories/feed.json index 2aa9f68..11c75f3 100644 --- a/skills/clawsec-feed/advisories/feed.json +++ b/skills/clawsec-feed/advisories/feed.json @@ -1,8 +1,484 @@ { "version": "0.0.3", - "updated": "2026-06-10T08:30:16Z", + "updated": "2026-06-12T07:34:34Z", "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.", "advisories": [ + { + "id": "CVE-2026-53819", + "severity": "high", + "type": "unknown_cwe_426", + "nvd_category_id": "CWE-426", + "title": "OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows ...", + "description": "OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setup to compromise the system.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:24.227", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8", + "https://www.vulncheck.com/advisories/openclaw-arbitrary-homebrew-executable-execution-via-workspace-env-override" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53819", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": false, + "requires_user_interaction": true, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53818", + "severity": "medium", + "type": "missing_authorization", + "nvd_category_id": "CWE-862", + "title": "OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature...", + "description": "OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:24.090", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h", + "https://www.vulncheck.com/advisories/openclaw-owner-only-tool-policy-bypass-via-mcp-loopback" + ], + "cvss_score": 6.6, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53818", + "exploitability_score": "medium", + "exploitability_rationale": "Medium CVSS score (6.6); requires local access", + "attack_vector_analysis": { + "is_network_accessible": false, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53817", + "severity": "high", + "type": "unknown_cwe_290", + "nvd_category_id": "CWE-290", + "title": "OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that al...", + "description": "OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.960", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw", + "https://www.vulncheck.com/advisories/openclaw-control-ui-locality-spoofing-in-device-pairing" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53817", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53816", + "severity": "high", + "type": "missing_authorization", + "nvd_category_id": "CWE-862", + "title": "OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event...", + "description": "OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway, steering target sessions into exec-event paths that expose capabilities the reduced node surface should not provide.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.830", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4", + "https://www.vulncheck.com/advisories/openclaw-exec-lifecycle-event-forgery-via-paired-node" + ], + "cvss_score": 7.2, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53816", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (7.2); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53815", + "severity": "medium", + "type": "missing_authorization", + "nvd_category_id": "CWE-862", + "title": "OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions tha...", + "description": "OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature, potentially exposing sensitive channel messages.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.697", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r", + "https://www.vulncheck.com/advisories/openclaw-channel-allowlist-bypass-in-message-read-actions" + ], + "cvss_score": 6.5, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53815", + "exploitability_score": "medium", + "exploitability_rationale": "Medium CVSS score (6.5); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53814", + "severity": "high", + "type": "unknown_cwe_266", + "nvd_category_id": "CWE-266", + "title": "OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent r...", + "description": "OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access or invoke owner-only MCP tools, potentially executing privileged actions like persistent cron state modifications.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.570", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4", + "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-hook-triggered-cli-mcp-tool-authority" + ], + "cvss_score": 8.3, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53814", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.3); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53813", + "severity": "high", + "type": "unknown_cwe_427", + "nvd_category_id": "CWE-427", + "title": "OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading wh...", + "description": "OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected workspaces can load memory-core artifacts from unintended local locations, potentially executing malicious code or accessing sensitive data.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.440", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976", + "https://www.vulncheck.com/advisories/openclaw-arbitrary-artifact-loading-via-fake-package-root-resolution" + ], + "cvss_score": 7.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53813", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (7.8); requires local access; path traversal affects agents with file access", + "attack_vector_analysis": { + "is_network_accessible": false, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53812", + "severity": "high", + "type": "server_side_request_forgery", + "nvd_category_id": "CWE-918", + "title": "OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control th...", + "description": "OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. Attackers can trigger navigation to private-network targets via action-triggered redirects and subsequently read restricted page content using browser evaluation capabilities.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.303", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f", + "https://www.vulncheck.com/advisories/openclaw-private-network-navigation-bypass-via-browser-act-interactions" + ], + "cvss_score": 7.7, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53812", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (7.7); network accessible; SSRF affects agents making external requests", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53811", + "severity": "high", + "type": "unknown_cwe_290", + "nvd_category_id": "CWE-290", + "title": "OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom featu...", + "description": "OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another Matrix identity, potentially gaining unauthorized permissions depending on operator configuration.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.167", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6", + "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-mutable-display-names-in-matrix-allowfrom" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53811", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53810", + "severity": "high", + "type": "unknown_cwe_829", + "nvd_category_id": "CWE-829", + "title": "OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extensio...", + "description": "OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin code outside reviewed package entry points, bypassing security scanning.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:23.030", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w", + "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unscanned-marketplace-runtime-extension-metadata" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53810", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": false, + "requires_user_interaction": true, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53809", + "severity": "low", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allo...", + "description": "OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identities. Attackers can exploit this confusion to select bundled tool access outside intended provider policy restrictions when the affected feature is enabled.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:22.857", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m", + "https://www.vulncheck.com/advisories/openclaw-provider-alias-confusion-in-embedded-runner-policy" + ], + "cvss_score": 3.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53809", + "exploitability_score": "low", + "exploitability_rationale": "Low CVSS score (3.8); requires local access", + "attack_vector_analysis": { + "is_network_accessible": false, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53808", + "severity": "medium", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop appl...", + "description": "OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before the expected approval step, potentially modifying configurations without proper authorization.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:22.717", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2", + "https://www.vulncheck.com/advisories/openclaw-approval-policy-bypass-in-skill-workshop-apply-flow" + ], + "cvss_score": 6.5, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53808", + "exploitability_score": "medium", + "exploitability_rationale": "Medium CVSS score (6.5); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": false, + "requires_user_interaction": true, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53807", + "severity": "high", + "type": "incorrect_authorization", + "nvd_category_id": "CWE-863", + "title": "OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive call...", + "description": "OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:22.580", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq", + "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-telegram-interactive-callbacks-via-commands-allowfrom" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53807", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, + { + "id": "CVE-2026-53806", + "severity": "high", + "type": "unknown_cwe_367", + "nvd_category_id": "CWE-367", + "title": "OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX s...", + "description": "OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX shell flags to bypass exec revalidation checks. Attackers can exploit this by using combined shell options to execute inline shell content without intended allowlist validation, potentially enabling unauthorized command execution when the affected feature is enabled.", + "affected": [ + "openclaw@*" + ], + "platforms": [ + "openclaw" + ], + "action": "Review and update affected components. See NVD for remediation details.", + "published": "2026-06-11T21:16:22.443", + "references": [ + "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3", + "https://www.vulncheck.com/advisories/openclaw-shell-option-parsing-bypass-in-exec-revalidation" + ], + "cvss_score": 8.8, + "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53806", + "exploitability_score": "high", + "exploitability_rationale": "High CVSS score (8.8); network accessible", + "attack_vector_analysis": { + "is_network_accessible": true, + "requires_authentication": true, + "requires_user_interaction": false, + "complexity": "low" + }, + "exploit_detection": { + "exploit_available": false, + "exploit_sources": [] + } + }, { "id": "CVE-2026-11461", "severity": "medium", @@ -500,52 +976,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-rj6p-xmxr-qj4h", - "ghsa_id": "GHSA-rj6p-xmxr-qj4h", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "missing_authorization", - "nvd_category_id": "CWE-862", - "title": "MCP loopback could skip owner-only tool policy for non-owner callers", - "description": "Summary MCP loopback could skip owner-only tool policy for non-owner callers. In affected versions, a non-owner caller reaching the affected loopback path could skip owner-only tool policy and before-tool-call hooks. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could invoke owner-only behavior through that loopback path. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Resolution Update to a patched OpenClaw release when one is listed for this advisory. If the Patched versions field is populated, use that version or later. Mitigations restrict MCP loopback access to trusted operators until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<2026.4.24" - ], - "patched": [ - "openclaw@2026.4.24" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:40:09Z", - "updated": "2026-05-28T17:40:10Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rj6p-xmxr-qj4h", - "nvd_url": null, - "cvss_score": 6.6, - "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", - "cwe_ids": [ - "CWE-862" - ], - "credits": [ - "zsxsoft", - "KeenSecurityLab", - "qclawer" - ], - "aliases": [ - "GHSA-rj6p-xmxr-qj4h" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-4m3v-q747-pc6h", "ghsa_id": "GHSA-4m3v-q747-pc6h", @@ -632,50 +1062,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-p39j-x9h5-q66m", - "ghsa_id": "GHSA-p39j-x9h5-q66m", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": null, - "title": "Embedded runner policy could be confused by provider aliases", - "description": "Summary Embedded runner policy could be confused by provider aliases. In affected versions, a request using provider aliases could compare policy against an alias instead of the canonical provider identity. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could select bundled tool access outside the intended provider policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations avoid provider alias routing for embedded runner tool policy until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<=2026.4.24" - ], - "patched": [ - "openclaw@2026.4.25" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:40:05Z", - "updated": "2026-05-28T17:40:05Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p39j-x9h5-q66m", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [], - "credits": [ - "zsxsoft", - "KeenSecurityLab", - "qclawer" - ], - "aliases": [ - "GHSA-p39j-x9h5-q66m" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-mpc8-jxjh-qpgh", "ghsa_id": "GHSA-mpc8-jxjh-qpgh", @@ -934,48 +1320,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-v8cx-933x-r976", - "ghsa_id": "GHSA-v8cx-933x-r976", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": null, - "title": "Fake package roots could influence memory-core artifact loading", - "description": "Summary Fake package roots could influence memory-core artifact loading. In affected versions, a local package root resolution path influenced by workspace state could select a package root that was not the intended bundled artifact root. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could load memory-core artifacts from an unintended local location. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.4.25. Mitigations run memory-core flows from trusted workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<=2026.4.24" - ], - "patched": [ - "openclaw@2026.4.25" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:56Z", - "updated": "2026-05-28T17:39:56Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [], - "credits": [ - "feynman-hou" - ], - "aliases": [ - "GHSA-v8cx-933x-r976" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-wc84-j36w-pw4x", "ghsa_id": "GHSA-wc84-j36w-pw4x", @@ -1060,48 +1404,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-8wg3-5mcm-fjq8", - "ghsa_id": "GHSA-8wg3-5mcm-fjq8", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": null, - "title": "Workspace .env could override Homebrew executable selection for skill install flows", - "description": "Summary Workspace .env could override Homebrew executable selection for skill install flows. In affected versions, a workspace .env in a repository opened by a trusted operator could override the Homebrew executable used by the install helper. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run an unintended Homebrew-compatible executable during skill setup. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.27. Mitigations avoid running skill install flows from untrusted workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@< 2026.5.27" - ], - "patched": [ - "openclaw@2026.5.27" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:53Z", - "updated": "2026-05-28T17:39:53Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [], - "credits": [ - "feynman-hou" - ], - "aliases": [ - "GHSA-8wg3-5mcm-fjq8" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-77pv-3w4q-vrj5", "ghsa_id": "GHSA-77pv-3w4q-vrj5", @@ -1629,50 +1931,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-cqwv-9qjx-vxw2", - "ghsa_id": "GHSA-cqwv-9qjx-vxw2", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": null, - "title": "Skill Workshop apply flow could override pending approval", - "description": "Summary Skill Workshop apply flow could override pending approval. In affected versions, an agent tool call reaching the affected Skill Workshop apply path could set apply: true despite approvalPolicy: pending. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could apply a workshop change before the expected approval step. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations review Skill Workshop changes manually and keep the tool restricted until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<=2026.5.5" - ], - "patched": [ - "openclaw@2026.5.6" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:35Z", - "updated": "2026-05-28T17:39:35Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cqwv-9qjx-vxw2", - "nvd_url": null, - "cvss_score": 5.3, - "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", - "cwe_ids": [], - "credits": [ - "zsxsoft", - "KeenSecurityLab", - "qclawer" - ], - "aliases": [ - "GHSA-cqwv-9qjx-vxw2" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-68xw-r643-9p5w", "ghsa_id": "GHSA-68xw-r643-9p5w", @@ -1761,50 +2019,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-w5ww-7chg-mxcq", - "ghsa_id": "GHSA-w5ww-7chg-mxcq", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": null, - "title": "Telegram interactive callbacks could skip commands.allowFrom", - "description": "Summary Telegram interactive callbacks could skip commands.allowFrom. In affected versions, a Telegram user able to invoke an affected callback could mark the callback as an authorized sender before applying commands.allowFrom. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could trigger command behavior outside the configured Telegram sender allowlist. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.6. Mitigations restrict Telegram command callbacks to trusted chats until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<=2026.5.5" - ], - "patched": [ - "openclaw@2026.5.6" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:32Z", - "updated": "2026-05-28T17:39:32Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [], - "credits": [ - "zsxsoft", - "KeenSecurityLab", - "qclawer" - ], - "aliases": [ - "GHSA-w5ww-7chg-mxcq" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-p73f-w79w-jqr5", "ghsa_id": "GHSA-p73f-w79w-jqr5", @@ -1849,50 +2063,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-7hxm-f538-3xp6", - "ghsa_id": "GHSA-7hxm-f538-3xp6", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": "CWE-290", - "title": "Matrix allowFrom could bind to mutable display names", - "description": "Summary Matrix allowFrom could bind to mutable display names. In affected versions, a Matrix account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could receive agent access intended for another Matrix identity. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.7. Mitigations use stable Matrix user IDs in allowlists until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<= 2026.5.6" - ], - "patched": [ - "openclaw@2026.5.7" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:30Z", - "updated": "2026-05-28T17:39:30Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7hxm-f538-3xp6", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [ - "CWE-290" - ], - "credits": [ - "PhilipPhil" - ], - "aliases": [ - "GHSA-7hxm-f538-3xp6" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-cw4q-gqg5-g38h", "ghsa_id": "GHSA-cw4q-gqg5-g38h", @@ -2377,53 +2547,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-chr9-m4q2-76hw", - "ghsa_id": "GHSA-chr9-m4q2-76hw", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "high", - "type": "improper_access_control", - "nvd_category_id": "CWE-284", - "title": "Control UI locality spoofing could mint a durable admin device token", - "description": "Summary In affected LAN/shared-token Control UI deployments, a caller could spoof locality information used during Control UI pairing and obtain a durable admin-capable device token. This issue is limited to deployments where the caller already has the network/authentication foothold needed to reach the Control UI pairing path. It is not an unauthenticated internet exposure issue. Affected configurations This affects configurations such as LAN-bound gateways or shared-token Control UI access where locality signals were accepted as sufficient for pairing decisions. Impact A temporary or shared Control UI access path could be turned into a persistent admin device token. That token could remain useful after the shared gateway token was rotated, unless the paired device was removed. The issue is a pairing/locality validation problem: locality-derived trust was stronger than it should have been. Patched Versions The first stable patched version is 2026.5.22. Mitigations Upgrade to openclaw@2026.5.22 or later. For older deployments, remove unexpected paired devices and avoid exposing Control UI pairing paths on networks with untrusted clients.", - "affected": [ - "openclaw@< 2026.5.22" - ], - "patched": [ - "openclaw@2026.5.22" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:12Z", - "updated": "2026-05-28T17:39:12Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chr9-m4q2-76hw", - "nvd_url": null, - "cvss_score": 8, - "cvss_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "cwe_ids": [ - "CWE-284", - "CWE-287", - "CWE-290", - "CWE-863" - ], - "credits": [ - "cantinagen" - ], - "aliases": [ - "GHSA-chr9-m4q2-76hw" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-rggc-m335-3wvj", "ghsa_id": "GHSA-rggc-m335-3wvj", @@ -2473,52 +2596,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-6fvr-66p3-3qj4", - "ghsa_id": "GHSA-6fvr-66p3-3qj4", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "high", - "type": "exposure_of_sensitive_information", - "nvd_category_id": "CWE-200", - "title": "Hook-triggered CLI runs could receive owner MCP tool authority", - "description": "Summary OpenClaw hook ingress can start automated agent runs using a configured hook token. In affected releases, a hook-triggered run could select a bundled CLI backend that received owner-scoped MCP loopback authority instead of a scope appropriate for hook ingress. This issue affects the boundary between hook-token automation and owner-only MCP tools. It does not affect deployments with hooks disabled. Affected configurations This affects deployments where hooks are enabled, /hooks/agent is reachable with a valid hook token, and a bundled CLI backend can be selected for the hook-triggered run. Impact A caller with the hook token could cause the spawned CLI runtime to see or call MCP tools that should have been owner-only. The practical impact depends on which MCP tools are available; the reported proof used persistent cron state as a representative owner-only action. Patched Versions The first stable patched version is 2026.5.20. Fixed in the 2026.5.20 stable release. Mitigations Upgrade to openclaw@2026.5.20 or later. Keep hook tokens secret, restrict network access to hook endpoints, and disable hooks when they are not needed.", - "affected": [ - "openclaw@< 2026.5.20" - ], - "patched": [ - "openclaw@2026.5.20" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:09Z", - "updated": "2026-05-28T17:39:09Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6fvr-66p3-3qj4", - "nvd_url": null, - "cvss_score": 8.4, - "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", - "cwe_ids": [ - "CWE-200", - "CWE-284" - ], - "credits": [ - "cantinagen", - "Ellahinator" - ], - "aliases": [ - "GHSA-6fvr-66p3-3qj4" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-q99w-vh6v-q3v7", "ghsa_id": "GHSA-q99w-vh6v-q3v7", @@ -2565,146 +2642,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-3c6j-hq33-3jv4", - "ghsa_id": "GHSA-3c6j-hq33-3jv4", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "high", - "type": "improper_access_control", - "nvd_category_id": "CWE-284", - "title": "Paired nodes could forge exec lifecycle events without system.run provenance", - "description": "Summary OpenClaw nodes send lifecycle events back to the gateway. In affected releases, a paired node could send an exec lifecycle event that was accepted without enough provenance tying it to an authorized system.run request. This issue affects the node event boundary. It does not allow an unauthenticated caller to reach the gateway; the attacker must already control a paired node connection. Affected configurations This affects deployments with a paired node where that node can send crafted node.event messages to the gateway and the target agent/session can process exec lifecycle events. Impact A malicious or compromised paired node could make the gateway treat attacker-supplied event data as an exec lifecycle result. In the vulnerable flow, that could steer the target session into an exec-event path that exposed capabilities the reduced node surface should not have provided. The issue is a missing provenance check for node-originated lifecycle events. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Pair nodes only from trusted environments, and remove/re-pair nodes that may have been compromised.", - "affected": [ - "openclaw@< 2026.5.18" - ], - "patched": [ - "openclaw@2026.5.18" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:06Z", - "updated": "2026-05-28T17:39:06Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6j-hq33-3jv4", - "nvd_url": null, - "cvss_score": 7.2, - "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "cwe_ids": [ - "CWE-284", - "CWE-863" - ], - "credits": [ - "cantinagen", - "Ellahinator" - ], - "aliases": [ - "GHSA-3c6j-hq33-3jv4" - ], - "source_feed": "ghsa-without-cve" - }, - { - "id": "GHSA-2hfg-4fh4-qp7f", - "ghsa_id": "GHSA-2hfg-4fh4-qp7f", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "high", - "type": "improper_access_control", - "nvd_category_id": "CWE-284", - "title": "Browser act interactions could bypass private-network navigation checks", - "description": "Summary OpenClaw's browser control SSRF checks blocked direct navigation to private or loopback URLs, but some Playwright act interactions could trigger navigation after the initial check. A later browser evaluation could then read from the page reached by that action-triggered navigation. This issue is specific to browser control actions and private-network navigation policy. Browser evaluation remains an intentional trusted-operator feature when it is used on pages that policy allowed the browser to visit. Affected configurations This affects deployments where browser control is enabled and an authenticated browser-control caller can interact with an attacker-controlled page that redirects or navigates the tab to a private-network target through a UI action. Impact If the browser reached a private page through an unchecked action-triggered navigation, a caller with browser evaluation capability could read page content that direct navigation policy would have blocked. The issue does not grant access to OpenClaw without authentication. It bypasses the private-network navigation guard for a specific browser action path. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Before upgrading, restrict browser-control access to trusted operators and avoid using browser control on untrusted pages in environments with sensitive private web services.", - "affected": [ - "openclaw@< 2026.5.18" - ], - "patched": [ - "openclaw@2026.5.18" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:04Z", - "updated": "2026-05-28T17:39:04Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hfg-4fh4-qp7f", - "nvd_url": null, - "cvss_score": 7.7, - "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", - "cwe_ids": [ - "CWE-284", - "CWE-918" - ], - "credits": [ - "cantinagen", - "Ellahinator" - ], - "aliases": [ - "GHSA-2hfg-4fh4-qp7f" - ], - "source_feed": "ghsa-without-cve" - }, - { - "id": "GHSA-v6r2-jh58-xx6w", - "ghsa_id": "GHSA-v6r2-jh58-xx6w", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "os_command_injection", - "nvd_category_id": "CWE-78", - "title": "Marketplace runtime extension metadata could point at unscanned payloads", - "description": "Summary Marketplace runtime extension metadata could point at unscanned payloads. In affected versions, a package selected for installation by a trusted operator could redirect runtime loading toward hidden package content that was not scanned as expected. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could load plugin code outside the reviewed package entry points. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.18. Mitigations install only trusted plugins and keep plugin allowlists explicit until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@< 2026.5.18" - ], - "patched": [ - "openclaw@2026.5.18" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:39:03Z", - "updated": "2026-05-28T17:39:03Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [ - "CWE-78", - "CWE-94", - "CWE-284", - "CWE-829" - ], - "credits": [ - "cantinagen", - "Ellahinator" - ], - "aliases": [ - "GHSA-v6r2-jh58-xx6w" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-mhq8-78pj-5j79", "ghsa_id": "GHSA-mhq8-78pj-5j79", @@ -2892,50 +2829,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-vxx3-6hc9-7cc3", - "ghsa_id": "GHSA-vxx3-6hc9-7cc3", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "github_security_advisory", - "nvd_category_id": "CWE-367", - "title": "Combined POSIX shell options could confuse exec revalidation", - "description": "Summary Combined POSIX shell options could confuse exec revalidation. In affected versions, a command request using combined shell flags could parse approval-time and execution-time shell options differently. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could run inline shell content without the intended allowlist decision. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.12. Mitigations avoid combined shell option forms in allowlisted commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<= 2026.5.7" - ], - "patched": [ - "openclaw@2026.5.12" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:38:54Z", - "updated": "2026-05-28T17:38:54Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [ - "CWE-367" - ], - "credits": [ - "YLChen-007" - ], - "aliases": [ - "GHSA-vxx3-6hc9-7cc3" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-2j8v-hwgc-x698", "ghsa_id": "GHSA-2j8v-hwgc-x698", @@ -2978,52 +2871,6 @@ ], "source_feed": "ghsa-without-cve" }, - { - "id": "GHSA-q7q8-3mgw-q67r", - "ghsa_id": "GHSA-q7q8-3mgw-q67r", - "cve_id": null, - "status": "active", - "stale": false, - "stale_after_days": 60, - "severity": "medium", - "type": "exposure_of_sensitive_information", - "nvd_category_id": "CWE-200", - "title": "Message read actions could skip channel allowlist checks", - "description": "Summary Message read actions could skip channel allowlist checks. In affected versions, a lower-trust caller with access to the affected message read action could request messages without the same channel allowlist check used by normal delivery. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. Impact When the affected feature is enabled and reachable, this could expose messages from a channel that was not intended for that caller. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. Patched Versions The first stable patched version is 2026.5.19. Mitigations limit message read actions to trusted operators and keep channel allowlists narrow. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.", - "affected": [ - "openclaw@<= 2026.5.18", - "openclaw@<= 2026.5.19-beta.2" - ], - "patched": [ - "openclaw@2026.5.19" - ], - "platforms": [ - "openclaw" - ], - "action": "Review the GitHub Security Advisory and update affected components; no CVE is assigned yet.", - "published": "2026-05-28T17:38:50Z", - "updated": "2026-05-28T17:38:50Z", - "references": [ - "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r" - ], - "source": "GitHub Security Advisory", - "repository": "openclaw/openclaw", - "github_advisory_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q7q8-3mgw-q67r", - "nvd_url": null, - "cvss_score": null, - "cvss_vector": null, - "cwe_ids": [ - "CWE-200", - "CWE-862" - ], - "credits": [ - "samchodev" - ], - "aliases": [ - "GHSA-q7q8-3mgw-q67r" - ], - "source_feed": "ghsa-without-cve" - }, { "id": "GHSA-gxg4-2rrr-jhc7", "ghsa_id": "GHSA-gxg4-2rrr-jhc7", diff --git a/skills/clawsec-feed/advisories/feed.json.sig b/skills/clawsec-feed/advisories/feed.json.sig index 22125cb..72d39ae 100644 --- a/skills/clawsec-feed/advisories/feed.json.sig +++ b/skills/clawsec-feed/advisories/feed.json.sig @@ -1 +1 @@ -agiAAFvzM1vNHxH2+bGtyeKqFScLWJHnNreBcPpTODUqD0xqFi0cnyP/ZaZX+Rsw1Y9uZ7pGdFdA93pD4lh2BQ== \ No newline at end of file +1mDO2Dzr9LmliE5Gg9mthOpIqx+OuxifLV4BN167XvG9ATyyrBn9N4FwImv396EQpD83MZGO9VzxCPcYYwpuDg== \ No newline at end of file